exec_am_broadcast: fix NULL assignment of last element of child_argv

Grimler91 · Grimler91 · commit 08bcd7331982 · 2022-06-19T11:38:24.000+02:00
child_argv[argc+extra_args] is outside the allocated memory region,
since it starts counting from 0.

Seen with valgrind:

==22732== Invalid write of size 8
==22732==    at 0x5E876D4: exec_am_broadcast (termux-api.c:254)
==22732==  Address 0x6033e10 is 0 bytes after a block of size 144 alloc'd
==22732==    at 0x5CC9FB4: malloc (in /data/data/com.termux/files/usr/libexec/valgrind/vgpreload_memcheck-arm64-linux.so)
==22732==    by 0x5E875BF: exec_am_broadcast (termux-api.c:231)
==22732==
==22732== Syscall param execve(argv) points to uninitialised byte(s)
==22732==    at 0x5FEEB78: execve (in /apex/com.android.runtime/lib64/bionic/libc.so)
==22732==    by 0x5F18023: execve (in /data/data/com.termux/files/usr/lib/libtermux-exec.so)
==22732==  Address 0x6033e08 is 136 bytes inside a block of size 144 alloc'd
==22732==    at 0x5CC9FB4: malloc (in /data/data/com.termux/files/usr/libexec/valgrind/vgpreload_memcheck-arm64-linux.so)
==22732==    by 0x5E875BF: exec_am_broadcast (termux-api.c:231)
==22732==  Uninitialised value was created by a heap allocation
==22732==    at 0x5CC9FB4: malloc (in /data/data/com.termux/files/usr/libexec/valgrind/vgpreload_memcheck-arm64-linux.so)
==22732==    by 0x5E875BF: exec_am_broadcast (termux-api.c:231)
diff --git a/termux-api.c b/termux-api.c
@@ -245,7 +245,7 @@ _Noreturn void exec_am_broadcast(int argc, char** argv,
     memcpy(child_argv + extra_args, argv + 2, (argc-1) * sizeof(char*));
 
     // End with NULL:
-    child_argv[argc + extra_args] = NULL;
+    child_argv[argc + extra_args - 1] = NULL;
 
     // Use an a executable taking care of PATH and LD_LIBRARY_PATH:
     execv(PREFIX "/bin/am", child_argv);
