An off-by-one NULL byte write on the stack has been reported in rpm.

This is caused by an off-by-one within the glob() function in rpmio/rpmglob.c.
It allocates space of a certain size on the stack using alloca(), then uses
mempcpy() to copy data into it, and finally tries to write a terminating NULL.
This NULL byte is not accounted for when allocating the stack memory, thus
it's written one byte after the allocated memory.

> 	else {
> 	    char *end_name = strchr(dirname, '/');
> 	    const char *user_name;
> 	    const char *home_dir;
> 
> 	    if (end_name == NULL)
> 		user_name = dirname + 1;
> 	    else {
> 		char *newp;
> 		newp = (char *) alloca(end_name - dirname);
> 		*((char *) mempcpy(newp, dirname + 1, end_name - dirname))
> 		    = '\0';
> 		user_name = newp;
> 	    }
 
    

How exploitable this really is depends on a lot of factors, including
the exact implementation of alloca(), the architecture, stack layout, etc.
For the majority of scenarios, this doesn't even cause a crash. For the
remaining scenarios, triggering a crash may be possible. Exploiting this
for code execution under normal conditions seems unlikely.

Acknowledgments:

Name: Hanno Boeck