Static analysis from Hyejin Kim found possible pointer underflow.

Now that the kernel's 128k environment size has been lifted, it might be
possible to feed in a gigabyte of suffix so argv[2] is enough larger than
argv[1] that char *s decrements past NULL and points to arbitrary high
memory (I.E. strlen(suffix) > (long)base), at which point the base > s
test is defeated and we strcmp() against a wild pointer.

Which is read only anyway and on 64 bit you probably couldn't hit any
interesting addresses, but the fix is easy enough: compare strlen values
instead of pointers. So do that instead.

0 files changed, 0 insertions, 0 deletions