# HG changeset patch
# User Jim Meyering <meyering@redhat.com>
# Date 1260443839 -3600
# Node ID 804bf8e8efd32cb6193985656583ed25daafcc98
# Parent  8f89d89472951d73d33f167e8db9f73adfd7e9ac
mgetgroups: do not write bytes beyond end of malloc'd buffer

* lib/mgetgroups.c: Fix an off-by-one error.  When we have no
username, we call getgroups with a one-element-shorter buffer,
but still told it the length was original, max_n_groups.

diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2009-12-10  Jim Meyering  <meyering@redhat.com>
+
+	mgetgroups: do not write bytes beyond end of malloc'd buffer
+	* lib/mgetgroups.c: Fix an off-by-one error.  When we have no
+	username, we call getgroups with a one-element-shorter buffer,
+	but still told it the length was original, max_n_groups.
+
 2009-12-09  Eric Blake  <ebb9@byu.net>
 
 	cloexec: relax license
diff --git a/lib/mgetgroups.c b/lib/mgetgroups.c
--- a/lib/mgetgroups.c
+++ b/lib/mgetgroups.c
@@ -141,7 +141,8 @@
 
   ng = (username
         ? getugroups (max_n_groups, g, username, gid)
-        : getgroups (max_n_groups, g + (gid != (gid_t) -1)));
+        : getgroups (max_n_groups - (gid != (gid_t) -1),
+                                g + (gid != (gid_t) -1)));
 
   if (ng < 0)
     {