about summary refs log tree commit diff
diff options
context:
space:
mode:
authorPaul Pluzhnikov <ppluzhnikov@google.com>2015-03-09 07:22:36 -0700
committerPaul Pluzhnikov <ppluzhnikov@google.com>2015-03-09 07:22:36 -0700
commit5f85a4bf9460b953a35f2beae54acaa8c1310a29 (patch)
tree912e656fd117c3cffcd58aed5a1e57b79527332c
parent95f386609f378063b35e0c4ede8c2d2ceea91f51 (diff)
downloadglibc-5f85a4bf9460b953a35f2beae54acaa8c1310a29.tar.gz
glibc-5f85a4bf9460b953a35f2beae54acaa8c1310a29.tar.xz
glibc-5f85a4bf9460b953a35f2beae54acaa8c1310a29.zip
Fix BZ #18043 (c4): buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
-rw-r--r--ChangeLog6
-rw-r--r--posix/wordexp-test.c5
-rw-r--r--posix/wordexp.c3
3 files changed, 11 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index abb948f36f..a7bd5b743c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
 2015-03-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
 
+	[BZ #18043]
+	* posix/wordexp.c (parse_param): Fix buffer overflow.
+	* posix/wordexp-test.c (test_case): Add test case.
+
+2015-03-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
 	[BZ #18042]
 	* posix/wordexp.c (parse_backtick): Fix off-by-one.
 	* posix/wordexp-test.c (test_case): Add test for BZ #18042.
diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
index 845407e537..0a353a45c3 100644
--- a/posix/wordexp-test.c
+++ b/posix/wordexp-test.c
@@ -234,8 +234,9 @@ struct test_case_struct
     { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
     { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS },
 
-    { WRDE_SYNTAX, NULL, "`\\", 0, 0, { NULL, }, IFS },  /* BZ 18042  */
-    { WRDE_SYNTAX, NULL, "${", 0, 0, { NULL, }, IFS },   /* BZ 18043  */
+    { WRDE_SYNTAX, NULL, "`\\", 0, 0, { NULL, }, IFS },     /* BZ 18042  */
+    { WRDE_SYNTAX, NULL, "${", 0, 0, { NULL, }, IFS },      /* BZ 18043  */
+    { WRDE_SYNTAX, NULL, "L${a:", 0, 0, { NULL, }, IFS },   /* BZ 18043#c4  */
 
     { -1, NULL, NULL, 0, 0, { NULL, }, IFS },
   };
diff --git a/posix/wordexp.c b/posix/wordexp.c
index ae4fd72b82..36b6fff0db 100644
--- a/posix/wordexp.c
+++ b/posix/wordexp.c
@@ -1343,7 +1343,8 @@ parse_param (char **word, size_t *word_length, size_t *max_length,
 	  break;
 
 	case ':':
-	  if (strchr ("-=?+", words[1 + *offset]) == NULL)
+	  if (words[1 + *offset] == '\0'
+	      || strchr ("-=?+", words[1 + *offset]) == NULL)
 	    goto syntax;
 
 	  colon_seen = 1;