Fix corruption when using batch files with comments and broken lines.

The problem was that length of allocation changed but caller not told. Anyway, the patch fixes a problem resulting in a double free that occurs when using batch files that contains a special combination of broken up lines and comments as reported in: http://bugs.debian.org/398912 Thanks to Michal Pokrywka <mpokrywka@hoga.pl> for testcase and information on which conditions problem could be reproduced under. Signed-off-by: Andreas Henriksson <andreas@fatal.se> Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
2024-11-15 22:15:13 +08:00 · 2007-10-12 10:56:42 +02:00 · 2007-10-12 10:56:42 +02:00 · d21e88354b
commit d21e88354b
parent 59a3ffb004
2 changed files with 6 additions and 4 deletions
--- a/include/utils.h
+++ b/include/utils.h
@ -144,7 +144,7 @@ int print_timestamp(FILE *fp);
 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))

 extern int cmdlineno;
-extern size_t getcmdline(char **line, size_t *len, FILE *in);
+extern ssize_t getcmdline(char **line, size_t *len, FILE *in);
 extern int makeargs(char *line, char *argv[], int maxargs);

 #endif /* __UTILS_H__ */
--- a/lib/utils.c
+++ b/lib/utils.c
@ -642,9 +642,9 @@ int print_timestamp(FILE *fp)
 int cmdlineno;

 /* Like glibc getline but handle continuation lines and comments */
-size_t getcmdline(char **linep, size_t *lenp, FILE *in)
+ssize_t getcmdline(char **linep, size_t *lenp, FILE *in)
 {
-	size_t cc;
+	ssize_t cc;
 	char *cp;

 	if ((cc = getline(linep, lenp, in)) < 0)
@ -672,9 +672,11 @@ size_t getcmdline(char **linep, size_t *lenp, FILE *in)
 		if (cp)
 			*cp = '\0';

-		*linep = realloc(*linep, strlen(*linep) + strlen(line1) + 1);
+		*lenp = strlen(*linep) + strlen(line1) + 1;
+		*linep = realloc(*linep, *lenp);
 		if (!*linep) {
 			fprintf(stderr, "Out of memory\n");
+			*lenp = 0;
 			return -1;
 		}
 		cc += cc1 - 2;