Making security hole with using stdlib on signal handler

vulnerable.c

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <stdbool.h>
#include <signal.h>
#include <sys/time.h>
#include <pwd.h>
#include <err.h>

int correct = 0, change = 0, empty = 0;

void recursive_sig(int signo)
{
    struct itimerval itv = {.it_value.tv_usec = 50};

    printf("in handler\n");
    getpwnam("root");
    setitimer(ITIMER_REAL, &itv, NULL);
    correct++;
}

void abort_handler(int signo)
{
    int sum = correct + change + empty;

    printf("-----------------------\n");
    printf("sum : %d\n", sum);
    printf("correct : %.1f%% (%d)\n", (float)correct * 100 / sum, correct);
    printf("change : %.1f%% (%d)\n", (float)change * 100 / sum, change);
    printf("empty : %.1f%% (%d)\n", (float)empty * 100 / sum, empty);

    printf("\033[36munbehaviors : %.1f%% (%d)\n\033[0m",
           (float)(change + empty) * 100 / sum,
           (change + empty));

    _exit(1);
}

int main(int argc, char const *argv[])
{
    struct passwd *pw;

    if (signal(SIGABRT, abort_handler))
        err(EXIT_FAILURE, "signal()");

    if (signal(SIGALRM, recursive_sig))
        err(EXIT_FAILURE, "signal()");
    recursive_sig(SIGALRM);

    while (true)
    {
        if (!(pw = getpwnam("ali")))
        {
            perror("\r\033[31mempty pw! status msg\033[0m");
            correct--;
            empty++;
            continue;
        }

        if (strcmp(pw->pw_name, "ali"))
        {
            fprintf(stderr, "\r\033[93muser is not ali, is %s!!!!\n\033[0m", pw->pw_name);
            correct--;
            change++;
        }
    }

    return 0;
}