From: Jakub Jelinek <jakub@redhat.com>
Date: Fri, 12 Jan 2007 17:11:28 +0000 (+0000)
Subject: 	* misc/getusershell.c (initshells): Check for integer overflows.
X-Git-Tag: cvs/fedora-glibc-2_5-20070712T1701~91
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f1985efa522f3b8dad1970363fb6f7fa832c03d8;p=thirdparty%2Fglibc.git

	* misc/getusershell.c (initshells): Check for integer overflows.
	Make strings buffer one bigger as fgets always succeeds when second
	argument is 1.  Don't use calloc for shells array.  Disallow
	/ as shell.
---

diff --git a/ChangeLog b/ChangeLog
index c1720cde3ed..08358ebd05a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2006-12-09  Jakub Jelinek  <jakub@redhat.com>
+
+	* misc/getusershell.c (initshells): Check for integer overflows.
+	Make strings buffer one bigger as fgets always succeeds when second
+	argument is 1.  Don't use calloc for shells array.  Disallow
+	/ as shell.
+
 2006-12-05  Jakub Jelinek  <jakub@redhat.com>
 
 	* nis/nis_subr.c (nis_getnames): Revert last change.
diff --git a/misc/getusershell.c b/misc/getusershell.c
index 255b579b1ad..636da322f96 100644
--- a/misc/getusershell.c
+++ b/misc/getusershell.c
@@ -98,7 +98,7 @@ initshells()
 	register char **sp, *cp;
 	register FILE *fp;
 	struct stat64 statb;
-	int flen;
+	size_t flen;
 
 	free(shells);
 	shells = NULL;
@@ -114,9 +114,11 @@ initshells()
 		okshells[1] = _PATH_CSHELL;
 		return (char **) okshells;
 	}
-	if ((strings = malloc((u_int)statb.st_size + 1)) == NULL)
+	if (statb.st_size > ~(size_t)0 / sizeof (char *) * 3)
 		goto init_okshells;
-	shells = calloc((unsigned)statb.st_size / 3, sizeof (char *));
+	if ((strings = malloc(statb.st_size + 2)) == NULL)
+		goto init_okshells;
+	shells = malloc(statb.st_size / 3 * sizeof (char *));
 	if (shells == NULL) {
 		free(strings);
 		strings = NULL;
@@ -124,11 +126,11 @@ initshells()
 	}
 	sp = shells;
 	cp = strings;
-	flen = statb.st_size;
+	flen = statb.st_size + 2;
 	while (fgets_unlocked(cp, flen - (cp - strings), fp) != NULL) {
 		while (*cp != '#' && *cp != '/' && *cp != '\0')
 			cp++;
-		if (*cp == '#' || *cp == '\0')
+		if (*cp == '#' || *cp == '\0' || cp[1] == '\0')
 			continue;
 		*sp++ = cp;
 		while (!isspace(*cp) && *cp != '#' && *cp != '\0')