diff options
| author | Paul Pluzhnikov <ppluzhnikov@google.com> | 2015-03-09 07:22:36 -0700 |
|---|---|---|
| committer | Paul Pluzhnikov <ppluzhnikov@google.com> | 2015-03-09 07:22:36 -0700 |
| commit | 5f85a4bf9460b953a35f2beae54acaa8c1310a29 (patch) | |
| tree | 912e656fd117c3cffcd58aed5a1e57b79527332c /posix/wordexp.c | |
| parent | 95f386609f378063b35e0c4ede8c2d2ceea91f51 (diff) | |
| download | glibc-5f85a4bf9460b953a35f2beae54acaa8c1310a29.tar.gz glibc-5f85a4bf9460b953a35f2beae54acaa8c1310a29.tar.xz glibc-5f85a4bf9460b953a35f2beae54acaa8c1310a29.zip | |
Fix BZ #18043 (c4): buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
Diffstat (limited to 'posix/wordexp.c')
| -rw-r--r-- | posix/wordexp.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/posix/wordexp.c b/posix/wordexp.c index ae4fd72b82..36b6fff0db 100644 --- a/posix/wordexp.c +++ b/posix/wordexp.c @@ -1343,7 +1343,8 @@ parse_param (char **word, size_t *word_length, size_t *max_length, break; case ':': - if (strchr ("-=?+", words[1 + *offset]) == NULL) + if (words[1 + *offset] == '\0' + || strchr ("-=?+", words[1 + *offset]) == NULL) goto syntax; colon_seen = 1; |