0071-proc/readproc.c: Harden supgrps_from_supgids().

1/ Prevent an integer overflow of t. 2/ Avoid an infinite loop if s contains characters other than comma, spaces, +, -, and digits. 3/ Handle all possible return values of snprintf(). ---------------------------- adapted for newlib branch . we can't use xrealloc(), so we use realloc() instead . and must account for a mem failure via a return of 1 Signed-off-by: Jim Warner <james.warner@comcast.net>
1970-01-01 00:00:00 +00:00 · 1970-01-01 00:00:00 +00:00 · ec0cb25af6
commit ec0cb25af6
parent 807498f899
1 changed files with 18 additions and 4 deletions
--- a/proc/readproc.c
+++ b/proc/readproc.c
@ -478,11 +478,25 @@ static int supgrps_from_supgids (proc_t *p) {
    s = p->supgid;
    t = 0;
    do {
-        if (',' == *s) ++s;
-        g = pwcache_get_group((uid_t)strtol(s, &s, 10));
-        if (!(p->supgrp = realloc(p->supgrp, P_G_SZ+t+2)))
+        const int max = P_G_SZ+2;
+        char *end = NULL;
+        gid_t gid;
+        int len;
+
+        while (',' == *s) ++s;
+        gid = strtol(s, &end, 10);
+        if (end <= s) break;
+        s = end;
+        g = pwcache_get_group(gid);
+
+        if ((t >= INT_MAX - max)
+        || (!(p->supgrp = realloc(p->supgrp, t + max))))
            return 1;
-        t += snprintf(p->supgrp+t, P_G_SZ+2, "%s%s", t ? "," : "", g);
+
+        len = snprintf(p->supgrp+t, max, "%s%s", t ? "," : "", g);
+        if (len <= 0) (p->supgrp+t)[len = 0] = '\0';
+        else if (len >= max) len = max-1;
+        t += len;
    } while (*s);

    return 0;