From: Samanta Navarro <ferivoz@riseup.net>
Date: Fri, 12 Jan 2024 11:49:27 +0000 (+0000)
Subject: lib/sgetgrent.c: fix null pointer dereference
X-Git-Tag: 4.15.0-rc1~49
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a9e07c0feb43ae074e7969b8847250d225dbda22;p=thirdparty%2Fshadow.git

lib/sgetgrent.c: fix null pointer dereference

If reallocation fails in function list, then reset the size to 0 again.
Without the reset, the next call assumes that `members` points to
a memory location with reserved space.

Also use size_t instead of int for size to prevent signed integer
overflows. The length of group lines is not limited.

Fixes 45c0003e53ab671c63dcd530fd9f3245d3b29e76 (4.14 release series)

Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
---

diff --git a/lib/sgetgrent.c b/lib/sgetgrent.c
index 77587c433..6894baf99 100644
--- a/lib/sgetgrent.c
+++ b/lib/sgetgrent.c
@@ -37,8 +37,8 @@
 static char **list (char *s)
 {
 	static char **members = NULL;
-	static int size = 0;	/* max members + 1 */
-	int i;
+	static size_t size = 0;	/* max members + 1 */
+	size_t i;
 
 	i = 0;
 	for (;;) {
@@ -47,8 +47,10 @@ static char **list (char *s)
 		if (i >= size) {
 			size = i + 100;	/* at least: i + 1 */
 			members = REALLOCF(members, size, char *);
-			if (!members)
+			if (!members) {
+				size = 0;
 				return NULL;
+			}
 		}
 		if (!s || s[0] == '\0')
 			break;