First problem: saved_argc was used to calculate the size of the array, but saved_argc was never initialized. This triggers an immediate heap- based buffer overflow: $ skill -c0 -c0 -c0 -c0 Segmentation fault (core dumped) Second problem: saved_argc was not the upper bound anyway, because one argument can ENLIST() several times (for example, in parse_namespaces()) and overflow the array as well. Third problem: integer overflow of the size of the array.
17 KiB
17 KiB