This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Fix writes past the allocated array bounds in execvpe (BZ# 20847)
On 21/11/2016 12:48, Andreas Schwab wrote:
> On Nov 21 2016, Adhemerval Zanella <adhemerval.zanella@linaro.org> wrote:
>
>> On 21/11/2016 12:17, Andreas Schwab wrote:
>>> On Nov 21 2016, Adhemerval Zanella <adhemerval.zanella@linaro.org> wrote:
>>>
>>>> For first issue I see so, since it allocates the argument list as:
>>>>
>>>> 64 /* Count the arguments. */
>>>> 65 int argc = 0;
>>>> 66 while (argv[argc++])
>>>> 67 ;
>>>> 68 size_t len = (argc + 1) * sizeof (char *);
>>>> 69 char **script_argv;
>>>> 70 void *ptr = NULL;
>>>> 71 if (__libc_use_alloca (len))
>>>> 72 script_argv = alloca (len);
>>>> 73 else
>>>> 74 script_argv = ptr = malloc (len);
>>>>
>>>> Taking in consideration only argument list plus one but then writing
>>>> argument list plus 2 position on 'scripts_argv'.
>>>
>>> But the old scripts_argv never writes to new_argv[argc+1]. Here, argc
>>> is already including the NULL in the old argv, and scripts_argv only has
>>> to prepend one new argument (and replace the old argv[0]).
>>
>> Right, but then I think it incur in another issue where the resulting new
>> argument variable would not contain a final NULL.
>
> scripts_argv first copies argv[argc-1], which is the final NULL.
Indeed, nevermind my previous comments then.