From 615ce15623d152122f7bf8369d834c3561b1e468 Mon Sep 17 00:00:00 2001
From: "Kelvin M. Klann" <kmk3.code@protonmail.com>
Date: Fri, 22 Oct 2021 15:26:53 -0300
Subject: util.c: check array size on copy_group_ifcont

Check if new_groups already is full before trying to add to it.
---
 src/firejail/util.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/firejail/util.c b/src/firejail/util.c
index 6fc8a663f..5bb5c257b 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -117,13 +117,19 @@ static int find_group(gid_t group, const gid_t *groups, int ngroups) {
 // "groups".  Always returns the current value of new_ngroups.
 static int copy_group_ifcont(const char *groupname,
                              const gid_t *groups, int ngroups,
-                             gid_t *new_groups, int *new_ngroups) {
+                             gid_t *new_groups, int *new_ngroups, int new_sz) {
+	if (*new_ngroups >= new_sz) {
+		errno = ERANGE;
+		goto out;
+	}
+
 	gid_t g = get_group_id(groupname);
 	if (g && find_group(g, groups, ngroups) >= 0) {
 		new_groups[*new_ngroups] = g;
 		(*new_ngroups)++;
 	}
 
+out:
 	return *new_ngroups;
 }
 
@@ -151,7 +157,7 @@ static void clean_supplementary_groups(gid_t gid) {
 	int i = 0;
 	while (allowed[i]) {
 		copy_group_ifcont(allowed[i], groups, ngroups,
-		                  new_groups, &new_ngroups);
+		                  new_groups, &new_ngroups, MAX_GROUPS);
 		i++;
 	}
 
-- 
cgit v1.2.3-70-g09d2