2003-04-23  Ulrich Drepper  <drepper@redhat.com>

	* grp/initgroups.c (getgrouplist): Don't copy too much into the
	user buffer if more groups are found than fit into it.

--- libc/grp/initgroups.c	13 Mar 2002 17:51:09 -0000	1.28
+++ libc/grp/initgroups.c	23 Apr 2003 21:26:34 -0000	1.29
@@ -23,6 +23,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
+#include <sys/param.h>
 #include <sys/types.h>
 #include <nsswitch.h>
 
@@ -207,6 +208,9 @@ getgrouplist (const char *user, gid_t gr
     return -1;
 
   result = internal_getgrouplist (user, group, &size, &newgroups, -1);
+
+  memcpy (groups, newgroups, MIN (*ngroups, result) * sizeof (gid_t));
+
   if (result > *ngroups)
     {
       *ngroups = result;
@@ -215,8 +219,6 @@ getgrouplist (const char *user, gid_t gr
   else
     *ngroups = result;
 
-  memcpy (groups, newgroups, *ngroups * sizeof (gid_t));
-
   free (newgroups);
   return result;
 }

============
testcase:

#include <grp.h>
#include <stdlib.h>

int main (void)
{
  int ngroups = 2, old_ngroups;
  gid_t *groups = (gid_t *) malloc ((ngroups + 1) * sizeof (gid_t));

  if (groups == NULL)
    abort ();
  groups[ngroups] = (gid_t) 0xdeadbeef;
  old_ngroups = ngroups;
  if (getgrouplist ("bin", 0, groups, &ngroups) < 0)
    {
      if (groups[old_ngroups] != (gid_t) 0xdeadbeef)
	abort ();
      groups = realloc (groups, (ngroups + 1) * sizeof (gid_t));
      if (groups == NULL)
	abort ();
      groups[ngroups] = (gid_t) 0xdeadbeef;
      old_ngroups = ngroups;
      if (getgrouplist ("bin", 0, groups, &ngroups) < 0)
	abort ();
      if (groups[old_ngroups] != (gid_t) 0xdeadbeef)
	abort ();
    }
  else
    abort ();
  exit (0);
}