Fix unbounded memory usage and infinite loop in fgetgrent_r(3).

2015-06-27 03:18:49 +02:00 · 2015-06-27 03:18:49 +02:00 · 6d052efd19
parent 53f20c5519
commit 6d052efd19
1 changed files with 3 additions and 1 deletions
--- a/libc/grp/fgetgrent_r.cpp
+++ b/libc/grp/fgetgrent_r.cpp
@ -83,6 +83,8 @@ static size_t count_num_members(const char* member_string)
 		result++;
 		while ( *member_string && *member_string != ',' )
 			member_string++;
+		if ( *member_string == ',' )
+			member_string++;
 	}
 	return result;
 }
@ -205,7 +207,7 @@ int fgetgrent_r(FILE* restrict fp,

 	size_t num_members = count_num_members(member_string);
 	size_t member_list_bytes = (num_members + 1) * sizeof(char*);
-	size_t available_bytes = buf_len < buf_used;
+	size_t available_bytes = buf_len - buf_used;
 	if ( available_bytes < member_list_bytes )
 		goto range_failure;