Multiple memory leaks in options parsing in pkcheck.c
Submitted by Leonard den Ottolander
Assigned to David Zeuthen @david
Description
https://googleprojectzero.blogspot.nl/2014/08/the-poisoned-nul-byte-2014-edition.html "Step 5: Aha! use a command-line argument spray to effect a heap spray and collide the heap into the stack" shows an example of "heap spraying" caused by a memory leak in the options parsing in pkexec.c. This leak has been fixed by disallowing multiple uses of the --user / -u option.
However, the same issue exists in pkcheck.c multiple times:
--action-id / -a can be specified multiple times, causing action_id to be repeatedly initialized with a g_strdup (argv[n]).
--system-bus-name has the same problem, only here initialization is done with polkit_system_bus_name_new (argv[n]).
These leaks can be solved in the same way as in pkexec.c, just disallow multiple specifications of those options.