2006-12-09 Jakub Jelinek <jakub@redhat.com>
* misc/getusershell.c (initshells): Check for integer overflows.
Make strings buffer one bigger as fgets always succeeds when second
argument is 1. Don't use calloc for shells array. Disallow
/ as shell.
--- libc/misc/getusershell.c 15 May 2006 18:56:36 -0000 1.16
+++ libc/misc/getusershell.c 9 Dec 2006 22:25:00 -0000 1.17
@@ -98,7 +98,7 @@ initshells()
register char **sp, *cp;
register FILE *fp;
struct stat64 statb;
- int flen;
+ size_t flen;
free(shells);
shells = NULL;
@@ -114,9 +114,11 @@ initshells()
okshells[1] = _PATH_CSHELL;
return (char **) okshells;
}
- if ((strings = malloc((u_int)statb.st_size + 1)) == NULL)
+ if (statb.st_size > ~(size_t)0 / sizeof (char *) * 3)
goto init_okshells;
- shells = calloc((unsigned)statb.st_size / 3, sizeof (char *));
+ if ((strings = malloc(statb.st_size + 2)) == NULL)
+ goto init_okshells;
+ shells = malloc(statb.st_size / 3 * sizeof (char *));
if (shells == NULL) {
free(strings);
strings = NULL;
@@ -124,11 +126,11 @@ initshells()
}
sp = shells;
cp = strings;
- flen = statb.st_size;
+ flen = statb.st_size + 2;
while (fgets_unlocked(cp, flen - (cp - strings), fp) != NULL) {
while (*cp != '#' && *cp != '/' && *cp != '\0')
cp++;
- if (*cp == '#' || *cp == '\0')
+ if (*cp == '#' || *cp == '\0' || cp[1] == '\0')
continue;
*sp++ = cp;
while (!isspace(*cp) && *cp != '#' && *cp != '\0')
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
2003d1abfa0c20ee77815f0da33e2c1c
>
files
>
146
