From 51d5e813e9ee6cf23af6c3e96082dc6ecd46d194 Mon Sep 17 00:00:00 2001
From: Jim Meyering <meyering@redhat.com>
Date: Thu, 10 Dec 2009 12:17:19 +0100
Subject: [PATCH] mgetgroups: do not write bytes beyond end of malloc'd buffer

* lib/mgetgroups.c: Fix an off-by-one error.  When we have no
username, we call getgroups with a one-element-shorter buffer,
but still told it the length was original, max_n_groups.
---
 ChangeLog        | 7 +++++++
 lib/mgetgroups.c | 3 ++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 4b150e0da..c656180fe 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2009-12-10  Jim Meyering  <meyering@redhat.com>
+
+	mgetgroups: do not write bytes beyond end of malloc'd buffer
+	* lib/mgetgroups.c: Fix an off-by-one error.  When we have no
+	username, we call getgroups with a one-element-shorter buffer,
+	but still told it the length was original, max_n_groups.
+
 2009-12-09  Eric Blake  <ebb9@byu.net>
 
 	cloexec: relax license
diff --git a/lib/mgetgroups.c b/lib/mgetgroups.c
index 89d161846..0f853d6f8 100644
--- a/lib/mgetgroups.c
+++ b/lib/mgetgroups.c
@@ -141,7 +141,8 @@ mgetgroups (char const *username, gid_t gid, gid_t **groups)
 
   ng = (username
         ? getugroups (max_n_groups, g, username, gid)
-        : getgroups (max_n_groups, g + (gid != (gid_t) -1)));
+        : getgroups (max_n_groups - (gid != (gid_t) -1),
+                                g + (gid != (gid_t) -1)));
 
   if (ng < 0)
     {
-- 
2.11.0