ps/parser: parse_list(): int overflow for large arg, free() of uninit. ptr
-
ps/parser.c:parse_list()
: Regression (2c933ecb):node->u
is uninitialized atfree(node->u)
when reached beforenode->u=xcalloc()
. -
ps/parser.c:parse_list()
: Whenarg
is very long, CVE-2023-4016 is triggered. 2c933ecb handles the multiplication issue, but there is still the possibility of int overflow when incrementingitems
.
Note also the strdup()
in parse_list()
with unhandled ENOMEM
. Fixed in !169 (merged).
Edited by Roman Žilka