Vulnerability? Bug? Null write in the get_cmdln_options function in src/options.c.

[decentL]

Hi,

In src/options.c, line 337.

// malloc() may fail, and str will be NULL.
str=(char*)malloc(strlen(pwd_entry->pw_dir)+14);
// write to Null
snprintf(str,strlen(pwd_entry->pw_dir)+14,"%s/.bwm-ng.conf",pwd_entry->pw_dir);

I think this is a vulnerability, and maybe we can patch it as following?

str=(char*)malloc(strlen(pwd_entry->pw_dir)+14);
if(!str) return

Thanks for any consideration!

Peiyu Liu,
NESA lab,
Zhejiang University

[vgropp]

it should terminate with an error and not just return and continue

[ofalk]

Under which circumstances do you think malloc() can fail and how can one easily reproduce the behaviour?

[vgropp]

I think https://www.quora.com/What-are-the-possible-ways-malloc-might-fail-Consider-malloc-code-doesnt-have-any-bugs sounds like a wrap up
but it will be not very easy to reproduce it

[ofalk]

Thx for merging!

[vgropp]

Thx for contributing!