lib/sgetgrent.c: fix null pointer dereference

If reallocation fails in function list, then reset the size to 0 again.
Without the reset, the next call assumes that `members` points to
a memory location with reserved space.

Also use size_t instead of int for size to prevent signed integer
overflows. The length of group lines is not limited.

Fixes 45c0003e53ab671c63dcd530fd9f3245d3b29e76 (4.14 release series)

Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>

diff --git a/lib/sgetgrent.c b/lib/sgetgrent.c
index 77587c43334065e271e1e74a1b5b038d4c796515..6894baf994814e16c5b8bca0ae2b8b2e952ae625 100644 (file)
--- a/lib/sgetgrent.c
+++ b/lib/sgetgrent.c
@@ -37,8 +37,8 @@
 static char **list (char *s)
 {
        static char **members = NULL;
-       static int size = 0;    /* max members + 1 */
-       int i;
+       static size_t size = 0; /* max members + 1 */
+       size_t i;
 
        i = 0;
        for (;;) {
@@ -47,8 +47,10 @@ static char **list (char *s)
                if (i >= size) {
                        size = i + 100; /* at least: i + 1 */
                        members = REALLOCF(members, size, char *);
-                       if (!members)
+                       if (!members) {
+                               size = 0;
                                return NULL;
+                       }
                }
                if (!s || s[0] == '\0')
                        break;