Fixes a buffer overflow triggered when more than three "--readfd"
arguments were given on the command line.
Signed-off-by: Tim Wiederhake <twiederh(a)redhat.com>
---
tests/commandhelper.c | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/tests/commandhelper.c b/tests/commandhelper.c
index d501e33e88..72a3e89da1 100644
--- a/tests/commandhelper.c
+++ b/tests/commandhelper.c
@@ -194,13 +194,22 @@ static int printCwd(FILE *log)
static int printInput(struct Arguments *args)
{
char buf[1024];
- struct pollfd fds[3];
- char *buffers[3] = {NULL, NULL, NULL};
- size_t buflen[3] = {0, 0, 0};
+ struct pollfd *fds = NULL;
+ char **buffers = NULL;
+ size_t *buflen = NULL;
int ret = -1;
size_t i;
ssize_t got;
+ if (!(fds = calloc(args->numreadfds, sizeof(*fds))))
+ goto cleanup;
+
+ if (!(buffers = calloc(args->numreadfds, sizeof(*buffers))))
+ goto cleanup;
+
+ if (!(buflen = calloc(args->numreadfds, sizeof(*buflen))))
+ goto cleanup;
+
if (args->close_stdin) {
if (freopen("/dev/null", "r", stdin) != stdin)
goto cleanup;
@@ -282,8 +291,14 @@ static int printInput(struct Arguments *args)
ret = 0;
cleanup:
- for (i = 0; i < G_N_ELEMENTS(buffers); i++)
- free(buffers[i]);
+ if (buffers) {
+ for (i = 0; i < args->numreadfds; i++)
+ free(buffers[i]);
+ }
+ free(fds);
+ free(buflen);
+ free(buffers);
+
return ret;
}
--
2.26.2