Fix use-after-free of pointer after realloc(3)

We can't use a pointer that was input to realloc(3), nor any pointers
that point to reallocated memory, without making sure that the memory
wasn't moved.  If we do, the Behavior is Undefined.

Signed-off-by: Alejandro Colomar <alx@kernel.org>

diff --git a/libmisc/env.c b/libmisc/env.c
index 75c7c8c6a781e504947e7078522e5ce43ca8676f..295df9c1995ea6a38d8a38caa125c419f0e41c62 100644 (file)
--- a/libmisc/env.c
+++ b/libmisc/env.c
@@ -128,12 +128,14 @@ void addenv (const char *string, /*@null@*/const char *value)
         */
 
        if ((newenvc & (NEWENVP_STEP - 1)) == 0) {
-               char **__newenvp;
+               bool  update_environ;
+               char  **__newenvp;
 
                /*
                 * If the resize operation succeeds we can
                 * happily go on, else print a message.
                 */
+               update_environ = (environ == newenvp);
 
                __newenvp = REALLOCARRAY(newenvp, newenvc + NEWENVP_STEP, char *);
 
@@ -143,9 +145,8 @@ void addenv (const char *string, /*@null@*/const char *value)
                         * environ so that it doesn't point to some
                         * free memory area (realloc() could move it).
                         */
-                       if (environ == newenvp) {
+                       if (update_environ)
                                environ = __newenvp;
-                       }
                        newenvp = __newenvp;
                } else {
                        (void) fputs (_("Environment overflow\n"), log_get_logfd());