fix off-by-one error in getgrnam_r and getgrgid_r, clobbering gr_name

bug report and patch by Michael Forney. the terminating null pointer at the end of the gr_mem array was overwriting the beginning of the string data, causing the gr_name member to always be a zero-length string.

fix off-by-one error in getgrnam_r and getgrgid_r, clobbering gr_name
bug report and patch by Michael Forney. the terminating null pointer at the end of the gr_mem array was overwriting the beginning of the string data, causing the gr_name member to always be a zero-length string.
23b8e3bc · Rich Felker · 211264e4 · 23b8e3bc
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

src/passwd/getgr_r.c src/passwd/getgr_r.c +2 -2

未找到文件。
--- a/src/passwd/getgr_r.c
+++ b/src/passwd/getgr_r.c
@@ -26,14 +26,14 @@ static int getgr_r(const char *name, gid_t gid, struct group *gr, char *buf, siz
 	while (__getgrent_a(f, gr, &line, &len, &mem, &nmem)) {
 		if (name && !strcmp(name, gr->gr_name)
 		|| !name && gr->gr_gid == gid) {
-			if (size < len + nmem*sizeof(char *) + 32) {
+			if (size < len + (nmem+1)*sizeof(char *) + 32) {
 				rv = ERANGE;
 				break;
 			}
 			*res = gr;
 			buf += (16-(uintptr_t)buf)%16;
 			gr->gr_mem = (void *)buf;
-			buf += nmem*sizeof(char *);
+			buf += (nmem+1)*sizeof(char *);
 			memcpy(buf, line, len);
 			FIX(name);
 			FIX(passwd);