mgetgroups: do not write bytes beyond end of malloc'd buffer

author Jim Meyering <meyering@redhat.com>

Thu, 10 Dec 2009 11:17:19 +0000 (12:17 +0100)

committer Jim Meyering <meyering@redhat.com>

Thu, 10 Dec 2009 11:17:19 +0000 (12:17 +0100)
author Jim Meyering <meyering@redhat.com>
Thu, 10 Dec 2009 11:17:19 +0000 (12:17 +0100)
committer Jim Meyering <meyering@redhat.com>
Thu, 10 Dec 2009 11:17:19 +0000 (12:17 +0100)
diff --git a/ChangeLog b/ChangeLog

index 4b150e0..c656180 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2009-12-10  Jim Meyering  <meyering@redhat.com>
+
+       mgetgroups: do not write bytes beyond end of malloc'd buffer
+       * lib/mgetgroups.c: Fix an off-by-one error.  When we have no
+       username, we call getgroups with a one-element-shorter buffer,
+       but still told it the length was original, max_n_groups.
+
  2009-12-09  Eric Blake  <ebb9@byu.net>
  
         cloexec: relax license
diff --git a/lib/mgetgroups.c b/lib/mgetgroups.c

index 89d1618..0f853d6 100644 (file)
--- a/lib/mgetgroups.c
+++ b/lib/mgetgroups.c
@@ -141,7 +141,8 @@ mgetgroups (char const *username, gid_t gid, gid_t **groups)
  
    ng = (username
          ? getugroups (max_n_groups, g, username, gid)
-        : getgroups (max_n_groups, g + (gid != (gid_t) -1)));
+        : getgroups (max_n_groups - (gid != (gid_t) -1),
+                                g + (gid != (gid_t) -1)));
  
    if (ng < 0)
      {
author	Jim Meyering <meyering@redhat.com>
	Thu, 10 Dec 2009 11:17:19 +0000 (12:17 +0100)
committer	Jim Meyering <meyering@redhat.com>
	Thu, 10 Dec 2009 11:17:19 +0000 (12:17 +0100)
ChangeLog		patch \| blob \| history
lib/mgetgroups.c		patch \| blob \| history