From: Alejandro Colomar <alx@kernel.org>
Date: Sat, 4 Feb 2023 23:01:13 +0000 (+0100)
Subject: Fix use-after-free of pointer after realloc(3)
X-Git-Tag: 4.14.0-rc1~158
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7668f77439b6cc1116cab075dfa4184b2076ada0;p=thirdparty%2Fshadow.git

Fix use-after-free of pointer after realloc(3)

We can't use a pointer that was input to realloc(3), nor any pointers
that point to reallocated memory, without making sure that the memory
wasn't moved.  If we do, the Behavior is Undefined.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
---

diff --git a/libmisc/env.c b/libmisc/env.c
index 75c7c8c6a..295df9c19 100644
--- a/libmisc/env.c
+++ b/libmisc/env.c
@@ -128,12 +128,14 @@ void addenv (const char *string, /*@null@*/const char *value)
 	 */
 
 	if ((newenvc & (NEWENVP_STEP - 1)) == 0) {
-		char **__newenvp;
+		bool  update_environ;
+		char  **__newenvp;
 
 		/*
 		 * If the resize operation succeeds we can
 		 * happily go on, else print a message.
 		 */
+		update_environ = (environ == newenvp);
 
 		__newenvp = REALLOCARRAY(newenvp, newenvc + NEWENVP_STEP, char *);
 
@@ -143,9 +145,8 @@ void addenv (const char *string, /*@null@*/const char *value)
 			 * environ so that it doesn't point to some
 			 * free memory area (realloc() could move it).
 			 */
-			if (environ == newenvp) {
+			if (update_environ)
 				environ = __newenvp;
-			}
 			newenvp = __newenvp;
 		} else {
 			(void) fputs (_("Environment overflow\n"), log_get_logfd());