Opened 8 years ago
Closed 8 years ago
#1308 closed defect (fixed)
process-execute segfaults with huge amount of arguments
| Reported by: | Vasilij Schneidermann | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | 4.12.0 |
| Component: | core libraries | Version: | 4.11.0 |
| Keywords: | posix | Cc: | |
| Estimated difficulty: |
Description
I've noticed this while using a script with the autocompile egg. Minimal reproduction example by sjamaan:
(process-execute "/bin/echo" (map ->string (iota 4000)))
Change History (4)
comment:1 Changed 8 years ago by
| Milestone: | someday → 4.12.0 |
|---|
comment:2 Changed 8 years ago by
Luckily it is quite simple this time :)
[wrt posixunix.scm, the same applies for the windows variant] The setarg/setenv functions will blindly set the i-th element of the given array without checking if the index is within the array boundaries; what happens here is a silly buffer overflow of the C_exec_args/C_exec_env buffers.
PS: It's probably worth to add a NULL guard for the malloc in C_set_arg_string.
comment:3 Changed 8 years ago by
There's already a patch proposed by C-Keen, and then an improved larger-scale refactoring + patch based on that, which is awaiting review on chicken-hackers
comment:4 Changed 8 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Fixed in 0d20426 / adcec28
Note: See
TracTickets for help on using
tickets.
Putting it on 4.12 for the time being, under the assumption that it's likely something simple.