1c6a1206bd
If reallocation fails in function list, then reset the size to 0 again. Without the reset, the next call assumes that `members` points to a memory location with reserved space. Also use size_t instead of int for size to prevent signed integer overflows. The length of group lines is not limited. Fixes45c0003e53(4.14 release series) Proof of Concept: - Prepare a group file (one long group line and a shorter one, both with a list of users) $ echo -n "root:x:0:" > /tmp/uwu $ yes , | tr -d '\n' | dd of=/tmp/uwu bs=10 count=3145728 seek=1 conv=notrunc iflag=fullblock $ echo -e "\nbin:x:1:," >> /tmp/uwu - Run grpck with tight memory constraints $ ulimit -d 102400 $ grpck /tmp/uwu Segmentation fault (core dumped) Reviewed-by: Alejandro Colomar <alx@kernel.org> Signed-off-by: Samanta Navarro <ferivoz@riseup.net> Cherry-picked-from:a9e07c0feb("lib/sgetgrent.c: fix null pointer dereference") Link: <https://github.com/shadow-maint/shadow/pull/904> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2.5 KiB
2.5 KiB