Content-Type: text/plain; charset="UTF-8" Content-Length: 886 Hello, I was looking at ksu and noticed this code from src/clients/ksu/main.c in the 1.16 distribution assumes that argc cannot be zero, but at least on Linux that is not true - if you pass NULL for argv to execve(), argc will be zero. target_user = xstrdup(argv[1]); pargc = argc -1; if ((pargv =(char **) calloc(pargc +1,sizeof(char *)))==NULL){ com_err(prog_name, errno, _("while allocating memory")); exit(1); } pargv[pargc] = NULL; pargv[0] = argv[0]; for(i =1; i< pargc; i ++){ pargv[i] = argv[i + 1]; } } I think this will just crash, because of the strdup(NULL), but if that succeeds on any platform this code will write NULL to pargv[-1], causing heap corruption. (on linux execve("/usr/bin/ksu", NULL, NULL) will make argc zero, if you want to test) Thanks, Tavis.