ps/parser: parse_list(): int overflow for large arg, free() of uninit. ptr (!201) · Merge requests · procps-ng / procps

ps/parser.c:parse_list(): Regression (2c933ecb): node->u is uninitialized at free(node->u) when reached before node->u=xcalloc().
ps/parser.c:parse_list(): When arg is very long, CVE-2023-4016 is triggered. 2c933ecb handles the multiplication issue, but there is still the possibility of int overflow when incrementing items.

Note also the strdup() in parse_list() with unhandled ENOMEM. Fixed in !169 (merged).

Edited Aug 12, 2023 by Roman Žilka

ps/parser: parse_list(): int overflow for large arg, free() of uninit. ptr