From ed52b88b92c74cad5534b933ffe57543c2c28c29 Mon Sep 17 00:00:00 2001
From: nekral-guest <nekral-guest@5a98b0ae-9ef6-0310-add3-de5d479b70d7>
Date: Mon, 18 Feb 2008 21:36:03 +0000
Subject: [PATCH] Fix buffer overflow when adding an user to a group. Thanks to
 Peter Vrabec.

---
 ChangeLog       | 5 +++++
 NEWS            | 2 ++
 src/groupmems.c | 2 +-
 3 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 9424dc80..26b8a465 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2008-02-18  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* NEWS, src/groupmems.c: Fix buffer overflow when adding an user
+	to a group. Thanks to Peter Vrabec.
+
 2008-02-14  Nicolas François  <nicolas.francois@centraliens.net>
 
 	* NEWS, etc/useradd: Change the default HOME directory in
diff --git a/NEWS b/NEWS
index ff3056aa..e10fbb8f 100644
--- a/NEWS
+++ b/NEWS
@@ -19,6 +19,8 @@ shadow-4.1.0 -> shadow-4.1.1						UNRELEASED
     passwd entry, but no shadow entry.
 - groupadd
   * New option -p/--password to specify an encrypted password.
+- groupmems
+  * Fix buffer overflow when adding an user to a group. Thanks to Peter Vrabec.
 - groupmod
   * New option -p/--password to specify an encrypted password.
 - grpck
diff --git a/src/groupmems.c b/src/groupmems.c
index 67cb7712..4852e865 100644
--- a/src/groupmems.c
+++ b/src/groupmems.c
@@ -104,7 +104,7 @@ static void addtogroup (char *user, char **members)
 		}
 	}
 
-	members = (char **) realloc (members, sizeof (char *) * i);
+	members = (char **) realloc (members, sizeof (char *) * (i+2));
 	members[i] = user;
 	members[i + 1] = NULL;
 }