Opened 6 years ago

Closed 6 years ago

#1308 closed defect (fixed)

process-execute segfaults with huge amount of arguments

Reported by: Vasilij Schneidermann Owned by:
Priority: minor Milestone: 4.12.0
Component: core libraries Version: 4.11.0
Keywords: posix Cc:
Estimated difficulty:


I've noticed this while using a script with the autocompile egg. Minimal reproduction example by sjamaan:

(process-execute "/bin/echo" (map ->string (iota 4000)))

Change History (4)

comment:1 Changed 6 years ago by sjamaan

Milestone: someday4.12.0

Putting it on 4.12 for the time being, under the assumption that it's likely something simple.

comment:2 Changed 6 years ago by LemonBoy

Luckily it is quite simple this time :)
[wrt posixunix.scm, the same applies for the windows variant] The setarg/setenv functions will blindly set the i-th element of the given array without checking if the index is within the array boundaries; what happens here is a silly buffer overflow of the C_exec_args/C_exec_env buffers.

PS: It's probably worth to add a NULL guard for the malloc in C_set_arg_string.

comment:3 Changed 6 years ago by sjamaan

There's already a patch proposed by C-Keen, and then an improved larger-scale refactoring + patch based on that, which is awaiting review on chicken-hackers

comment:4 Changed 6 years ago by sjamaan

Resolution: fixed
Status: newclosed

Fixed in 0d20426 / adcec28

Note: See TracTickets for help on using tickets.