From a8751ec768f61ce58aaf8550c165e0b1639ea3af Mon Sep 17 00:00:00 2001
From: Jan Verbeek <jan.verbeek@posteo.nl>
Date: Sun, 12 Sep 2021 12:26:12 +0200
Subject: Prevent buffer over-read in getgroups()

---
 src/unistd.rs | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/unistd.rs b/src/unistd.rs
index 25b20051..2f47b260 100644
--- a/src/unistd.rs
+++ b/src/unistd.rs
@@ -1420,6 +1420,14 @@ pub fn getgroups() -> Result<Vec<Gid>> {
     // Next, get the number of groups so we can size our Vec
     let ngroups = unsafe { libc::getgroups(0, ptr::null_mut()) };
 
+    // If there are no supplementary groups, return early.
+    // This prevents a potential buffer over-read if the number of groups
+    // increases from zero before the next call. It would return the total
+    // number of groups beyond the capacity of the buffer.
+    if ngroups == 0 {
+        return Ok(Vec::new());
+    }
+
     // Now actually get the groups. We try multiple times in case the number of
     // groups has changed since the first call to getgroups() and the buffer is
     // now too small.
-- 
cgit v1.2.3