Package: dchroot Version: 0.11 Tags: patch dchroot contains following statemet.
dchroot_printf("Unknown option '-%c%c'.\n", argv[index][1], argv[index][2]); However, it is not assured that strlen(argv[index])>=2 in the statement. So it accesses out of the bound of the string. % dchroot - foo | head -1 | od -c 0000000 d c h r o o t : U n k n o w n 0000020 o p t i o n ' - \0 f ' . \n ^ argv[2][0] % dchroot - | head -1 | od -c 0000000 d c h r o o t : U n k n o w n 0000020 o p t i o n ' - \0 S ' . \n ^?? the value of next addr in stack
--- dchroot-0.11.orig/dchroot.c +++ dchroot-0.11/dchroot.c @@ -376,8 +376,8 @@ while (argv[index] && argv[index][0] == '-') { if (argv[index][1] == '\0' || argv[index][2] != '\0') { - dchroot_printf("Unknown option '-%c%c'.\n", - argv[index][1], argv[index][2]); + dchroot_printf("Unknown option '%.2s'.\n", + argv[index]); usage(argv[0]); exit(EXIT_FAILURE); }