BUG/MINOR: tools: fix possible null-deref in env_expand() on out-of-memory

In GH issue #2586 @Bbulatov reported a theoretical null-deref in env_expand() in case there's no memory anymore to expand an environment variable. The function should return NULL in this case so that the only caller (str2sa_range) sees it. In practice it may only happen during boot thus is harmless but better fix it since it's easy. This can be backported to all versions where this applies.
2024-05-31 18:52:51 +02:00 · 2024-05-31 18:52:51 +02:00 · ba958fb230
parent 8a7afb6964
commit ba958fb230
1 changed files with 7 additions and 2 deletions
--- a/src/tools.c
+++ b/src/tools.c
@ -4627,8 +4627,9 @@ int my_unsetenv(const char *name)
 * corresponding value. A variable is identified as a series of alphanumeric
 * characters or underscores following a '$' sign. The <in> string must be
 * free()able. NULL returns NULL. The resulting string might be reallocated if
- * some expansion is made. Variable names may also be enclosed into braces if
- * needed (eg: to concatenate alphanum characters).
+ * some expansion is made (an NULL will be returned on failure). Variable names
+ * may also be enclosed into braces if needed (eg: to concatenate alphanum
+ * characters).
 */
 char *env_expand(char *in)
 {
@ -4683,6 +4684,9 @@ char *env_expand(char *in)
 		}

 		out = my_realloc2(out, out_len + (txt_end - txt_beg) + val_len + 1);
+		if (!out)
+			goto leave;
+
 		if (txt_end > txt_beg) {
 			memcpy(out + out_len, txt_beg, txt_end - txt_beg);
 			out_len += txt_end - txt_beg;
@ -4697,6 +4701,7 @@ char *env_expand(char *in)

 	/* here we know that <out> was allocated and that we don't need <in> anymore */
 	free(in);
+leave:
 	return out;
 }