diff options
author | Paul Pluzhnikov <ppluzhnikov@google.com> | 2015-03-09 07:22:36 -0700 |
---|---|---|
committer | Paul Pluzhnikov <ppluzhnikov@google.com> | 2015-03-09 07:22:36 -0700 |
commit | 5f85a4bf9460b953a35f2beae54acaa8c1310a29 (patch) | |
tree | 912e656fd117c3cffcd58aed5a1e57b79527332c | |
parent | 95f386609f378063b35e0c4ede8c2d2ceea91f51 (diff) | |
download | glibc-5f85a4bf9460b953a35f2beae54acaa8c1310a29.tar.gz glibc-5f85a4bf9460b953a35f2beae54acaa8c1310a29.tar.xz glibc-5f85a4bf9460b953a35f2beae54acaa8c1310a29.zip |
Fix BZ #18043 (c4): buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | posix/wordexp-test.c | 5 | ||||
-rw-r--r-- | posix/wordexp.c | 3 |
3 files changed, 11 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog index abb948f36f..a7bd5b743c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ 2015-03-09 Paul Pluzhnikov <ppluzhnikov@google.com> + [BZ #18043] + * posix/wordexp.c (parse_param): Fix buffer overflow. + * posix/wordexp-test.c (test_case): Add test case. + +2015-03-09 Paul Pluzhnikov <ppluzhnikov@google.com> + [BZ #18042] * posix/wordexp.c (parse_backtick): Fix off-by-one. * posix/wordexp-test.c (test_case): Add test for BZ #18042. diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c index 845407e537..0a353a45c3 100644 --- a/posix/wordexp-test.c +++ b/posix/wordexp-test.c @@ -234,8 +234,9 @@ struct test_case_struct { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS }, { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS }, - { WRDE_SYNTAX, NULL, "`\\", 0, 0, { NULL, }, IFS }, /* BZ 18042 */ - { WRDE_SYNTAX, NULL, "${", 0, 0, { NULL, }, IFS }, /* BZ 18043 */ + { WRDE_SYNTAX, NULL, "`\\", 0, 0, { NULL, }, IFS }, /* BZ 18042 */ + { WRDE_SYNTAX, NULL, "${", 0, 0, { NULL, }, IFS }, /* BZ 18043 */ + { WRDE_SYNTAX, NULL, "L${a:", 0, 0, { NULL, }, IFS }, /* BZ 18043#c4 */ { -1, NULL, NULL, 0, 0, { NULL, }, IFS }, }; diff --git a/posix/wordexp.c b/posix/wordexp.c index ae4fd72b82..36b6fff0db 100644 --- a/posix/wordexp.c +++ b/posix/wordexp.c @@ -1343,7 +1343,8 @@ parse_param (char **word, size_t *word_length, size_t *max_length, break; case ':': - if (strchr ("-=?+", words[1 + *offset]) == NULL) + if (words[1 + *offset] == '\0' + || strchr ("-=?+", words[1 + *offset]) == NULL) goto syntax; colon_seen = 1; |