From 7668f77439b6cc1116cab075dfa4184b2076ada0 Mon Sep 17 00:00:00 2001 From: Alejandro Colomar Date: Sun, 5 Feb 2023 00:01:13 +0100 Subject: [PATCH] Fix use-after-free of pointer after realloc(3) We can't use a pointer that was input to realloc(3), nor any pointers that point to reallocated memory, without making sure that the memory wasn't moved. If we do, the Behavior is Undefined. Signed-off-by: Alejandro Colomar --- libmisc/env.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/libmisc/env.c b/libmisc/env.c index 75c7c8c6..295df9c1 100644 --- a/libmisc/env.c +++ b/libmisc/env.c @@ -128,12 +128,14 @@ void addenv (const char *string, /*@null@*/const char *value) */ if ((newenvc & (NEWENVP_STEP - 1)) == 0) { - char **__newenvp; + bool update_environ; + char **__newenvp; /* * If the resize operation succeeds we can * happily go on, else print a message. */ + update_environ = (environ == newenvp); __newenvp = REALLOCARRAY(newenvp, newenvc + NEWENVP_STEP, char *); @@ -143,9 +145,8 @@ void addenv (const char *string, /*@null@*/const char *value) * environ so that it doesn't point to some * free memory area (realloc() could move it). */ - if (environ == newenvp) { + if (update_environ) environ = __newenvp; - } newenvp = __newenvp; } else { (void) fputs (_("Environment overflow\n"), log_get_logfd());