This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] Fix writes past the allocated array bounds in execvpe (BZ# 20847)

On Nov 21 2016, Adhemerval Zanella <adhemerval.zanella@linaro.org> wrote:

> For first issue I see so, since it allocates the argument list as:
>
>  64           /* Count the arguments.  */
>  65           int argc = 0;
>  66           while (argv[argc++])
>  67             ;
>  68           size_t len = (argc + 1) * sizeof (char *);
>  69           char **script_argv;
>  70           void *ptr = NULL;
>  71           if (__libc_use_alloca (len))
>  72             script_argv = alloca (len);
>  73           else
>  74             script_argv = ptr = malloc (len);
>
> Taking in consideration only argument list plus one but then writing
> argument list plus 2 position on 'scripts_argv'.

But the old scripts_argv never writes to new_argv[argc+1].  Here, argc
is already including the NULL in the old argv, and scripts_argv only has
to prepend one new argument (and replace the old argv[0]).

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."
Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]