This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Fix writes past the allocated array bounds in execvpe (BZ# 20847)
On Nov 21 2016, Adhemerval Zanella <adhemerval.zanella@linaro.org> wrote:
> For first issue I see so, since it allocates the argument list as:
>
> 64 /* Count the arguments. */
> 65 int argc = 0;
> 66 while (argv[argc++])
> 67 ;
> 68 size_t len = (argc + 1) * sizeof (char *);
> 69 char **script_argv;
> 70 void *ptr = NULL;
> 71 if (__libc_use_alloca (len))
> 72 script_argv = alloca (len);
> 73 else
> 74 script_argv = ptr = malloc (len);
>
> Taking in consideration only argument list plus one but then writing
> argument list plus 2 position on 'scripts_argv'.
But the old scripts_argv never writes to new_argv[argc+1]. Here, argc
is already including the NULL in the old argv, and scripts_argv only has
to prepend one new argument (and replace the old argv[0]).
Andreas.
--
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."