The current version of argz_stringify will underflow its size_t argument
if 0 is passed in and then go and change lots of '\0' bytes to something
else.
The patch below fixes that by replacing argz_stringify with the version
from glibc-2.7
David
>From 49d7160e112d6807f891043e51f84f7cce8e8470 Mon Sep 17 00:00:00 2001
From: David Lutterkort <[EMAIL PROTECTED]>
Date: Thu, 29 May 2008 14:35:18 -0700
Subject: Fix underflow and subsequent memory corruption
* lib/argz.c(argz_stringify): sync with glibc-2.7; previous version
would underflow the size_t len when it was 0
* modules/argz: add dependency on strnlen
Signed-off-by: David Lutterkort <[EMAIL PROTECTED]>
---
lib/argz.c | 23 +++++++++++------------
modules/argz | 1 +
2 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/lib/argz.c b/lib/argz.c
index 91d284c..5c8bf57 100644
--- a/lib/argz.c
+++ b/lib/argz.c
@@ -409,19 +409,18 @@ argz_next (char *argz, size_t argz_len, const char *entry)
void
-argz_stringify (char *argz, size_t argz_len, int sep)
+argz_stringify (char *argz, size_t len, int sep)
{
- assert ((argz && argz_len) || (!argz && !argz_len));
-
- if (sep)
- {
- --argz_len; /* don't stringify the terminating EOS */
- while (--argz_len > 0)
- {
- if (argz[argz_len] == EOS_CHAR)
- argz[argz_len] = sep;
- }
- }
+ if (len > 0)
+ while (1)
+ {
+ size_t part_len = strnlen (argz, len);
+ argz += part_len;
+ len -= part_len;
+ if (len-- <= 1) /* includes final '\0' we want to stop at */
+ break;
+ *argz++ = sep;
+ }
}
diff --git a/modules/argz b/modules/argz
index 9898435..e2b148f 100644
--- a/modules/argz
+++ b/modules/argz
@@ -10,6 +10,7 @@ Depends-on:
mempcpy
stpcpy
strndup
+strnlen
configure.ac:
gl_FUNC_ARGZ
--
1.5.4.1
