fix off-by-one error in getgrnam_r and getgrgid_r, clobbering gr_name

bug report and patch by Michael Forney. the terminating null pointer at the end of the gr_mem array was overwriting the beginning of the string data, causing the gr_name member to always be a zero-length string.
author: Rich Felker <dalias@aerifal.cx> 2013-09-29 02:52:33 -0400
committer: Rich Felker <dalias@aerifal.cx> 2013-09-29 02:52:33 -0400
commit: 23b8e3bc95620b0bd90a78ce0d926942c12b45da (patch)
tree: b4ef44467f7890cb88a56d939d2d19e6bd2c7643
parent: 211264e46a2f1bc382a84435e904d1548de672b0 (diff)
download: musl-23b8e3bc95620b0bd90a78ce0d926942c12b45da.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/src/passwd/getgr_r.c b/src/passwd/getgr_r.c
index 234c9013..3fe2e2b2 100644
--- a/src/passwd/getgr_r.c
+++ b/src/passwd/getgr_r.c
@@ -26,14 +26,14 @@ static int getgr_r(const char *name, gid_t gid, struct group *gr, char *buf, siz
 	while (__getgrent_a(f, gr, &line, &len, &mem, &nmem)) {
 		if (name && !strcmp(name, gr->gr_name)
 		|| !name && gr->gr_gid == gid) {
-			if (size < len + nmem*sizeof(char *) + 32) {
+			if (size < len + (nmem+1)*sizeof(char *) + 32) {
 				rv = ERANGE;
 				break;
 			}
 			*res = gr;
 			buf += (16-(uintptr_t)buf)%16;
 			gr->gr_mem = (void *)buf;
-			buf += nmem*sizeof(char *);
+			buf += (nmem+1)*sizeof(char *);
 			memcpy(buf, line, len);
 			FIX(name);
 			FIX(passwd);
author	Rich Felker <dalias@aerifal.cx>	2013-09-29 02:52:33 -0400
committer	Rich Felker <dalias@aerifal.cx>	2013-09-29 02:52:33 -0400
commit	23b8e3bc95620b0bd90a78ce0d926942c12b45da (patch)
tree	b4ef44467f7890cb88a56d939d2d19e6bd2c7643
parent	211264e46a2f1bc382a84435e904d1548de672b0 (diff)
download	musl-23b8e3bc95620b0bd90a78ce0d926942c12b45da.tar.gz