Upstream-Status: Backport [https://www.sudo.ws/repos/sudo/rev/c125fbe68783]
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
CVE: CVE-2021-3156

# HG changeset patch
# User Todd C. Miller <Todd.Miller@sudo.ws>
# Date 1611416640 25200
# Node ID c125fbe6878395d10f01d891d3c09b1229ada404
# Parent  09f98816fc8978f1d8623a857073d2d5746f0379
Don't assume that argv is allocated as a single flat buffer.
While this is how the kernel behaves it is not a portable assumption.
The assumption may also be violated if getopt_long(3) permutes arguments.
Found by Qualys.

diff -r 09f98816fc89 -r c125fbe68783 src/parse_args.c
--- a/src/parse_args.c	Sat Jan 23 08:44:00 2021 -0700
+++ b/src/parse_args.c	Sat Jan 23 08:44:00 2021 -0700
@@ -614,16 +614,16 @@
 	if (argc != 0) {
 	    /* shell -c "command" */
 	    char *src, *dst;
-	    size_t cmnd_size = (size_t) (argv[argc - 1] - argv[0]) +
-		strlen(argv[argc - 1]) + 1;
+	    size_t size = 0;
 
-	    cmnd = dst = reallocarray(NULL, cmnd_size, 2);
-	    if (cmnd == NULL)
+	    for (av = argv; *av != NULL; av++)
+		size += strlen(*av) + 1;
+	    if (size == 0 || (cmnd = reallocarray(NULL, size, 2)) == NULL)
 		sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 	    if (!gc_add(GC_PTR, cmnd))
 		exit(EXIT_FAILURE);
 
-	    for (av = argv; *av != NULL; av++) {
+	    for (dst = cmnd, av = argv; *av != NULL; av++) {
 		for (src = *av; *src != '\0'; src++) {
 		    /* quote potential meta characters */
 		    if (!isalnum((unsigned char)*src) && *src != '_' && *src != '-' && *src != '$')