Package: dchroot
Version: 0.11
Tags: patch
dchroot contains following statemet.
dchroot_printf("Unknown option '-%c%c'.\n",
argv[index][1], argv[index][2]);
However, it is not assured that strlen(argv[index])>=2 in the statement.
So it accesses out of the bound of the string.
% dchroot - foo | head -1 | od -c
0000000 d c h r o o t : U n k n o w n
0000020 o p t i o n ' - \0 f ' . \n
^ argv[2][0]
% dchroot - | head -1 | od -c
0000000 d c h r o o t : U n k n o w n
0000020 o p t i o n ' - \0 S ' . \n
^?? the value of next
addr in stack
--- dchroot-0.11.orig/dchroot.c
+++ dchroot-0.11/dchroot.c
@@ -376,8 +376,8 @@
while (argv[index] && argv[index][0] == '-') {
if (argv[index][1] == '\0' || argv[index][2] != '\0') {
- dchroot_printf("Unknown option '-%c%c'.\n",
- argv[index][1], argv[index][2]);
+ dchroot_printf("Unknown option '%.2s'.\n",
+ argv[index]);
usage(argv[0]);
exit(EXIT_FAILURE);
}
