Fix a memory access and a double slash bug.
* src/engine-spawn.c (engspawn_start): Allocate space for list terminator. * src/posix-util.c (walk_path): Fix trailing slash detection. -- Kudos to Valgrind for pointing out these two problems. The first is a plain allocation bug in a code pattern I have written thousands of times - this time it went wrong. The allocation is not user controlled thus not directly exploitable. The second is missed to do what it intended to do. Found due to the access of malloced but not initialized memory. Not using calloc again proved to be helpful to detect logical error.
This commit is contained in:
Werner Koch
parent
d5fb92cdae
commit
de4a1ea684
@ -250,7 +250,7 @@ engspawn_start (engine_spawn_t esp, const char *file, const char *argv[],
|
|||||||
n = 0;
|
n = 0;
|
||||||
for (i = 0; esp->fd_data_map[i].data; i++)
|
for (i = 0; esp->fd_data_map[i].data; i++)
|
||||||
n++;
|
n++;
|
||||||
fd_list = calloc (n, sizeof *fd_list);
|
fd_list = calloc (n+1, sizeof *fd_list);
|
||||||
if (!fd_list)
|
if (!fd_list)
|
||||||
return gpg_error_from_syserror ();
|
return gpg_error_from_syserror ();
|
||||||
|
|
||||||
|
|||||||
@ -95,7 +95,7 @@ walk_path (const char *pgm)
|
|||||||
{
|
{
|
||||||
for (s=path, p=fname; *s && *s != ':'; s++, p++)
|
for (s=path, p=fname; *s && *s != ':'; s++, p++)
|
||||||
*p = *s;
|
*p = *s;
|
||||||
if (*p != '/')
|
if (p != fname && p[-1] != '/')
|
||||||
*p++ = '/';
|
*p++ = '/';
|
||||||
strcpy (p, pgm);
|
strcpy (p, pgm);
|
||||||
if (!access (fname, X_OK))
|
if (!access (fname, X_OK))
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user