diff options
author | Paul Pluzhnikov <ppluzhnikov@google.com> | 2015-03-09 07:22:36 -0700 |
---|---|---|
committer | Paul Pluzhnikov <ppluzhnikov@google.com> | 2015-03-09 07:22:36 -0700 |
commit | 5f85a4bf9460b953a35f2beae54acaa8c1310a29 (patch) | |
tree | 912e656fd117c3cffcd58aed5a1e57b79527332c /posix | |
parent | 95f386609f378063b35e0c4ede8c2d2ceea91f51 (diff) | |
download | glibc-5f85a4bf9460b953a35f2beae54acaa8c1310a29.tar.gz glibc-5f85a4bf9460b953a35f2beae54acaa8c1310a29.tar.xz glibc-5f85a4bf9460b953a35f2beae54acaa8c1310a29.zip |
Fix BZ #18043 (c4): buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
Diffstat (limited to 'posix')
-rw-r--r-- | posix/wordexp-test.c | 5 | ||||
-rw-r--r-- | posix/wordexp.c | 3 |
2 files changed, 5 insertions, 3 deletions
diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c index 845407e537..0a353a45c3 100644 --- a/posix/wordexp-test.c +++ b/posix/wordexp-test.c @@ -234,8 +234,9 @@ struct test_case_struct { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS }, { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS }, - { WRDE_SYNTAX, NULL, "`\\", 0, 0, { NULL, }, IFS }, /* BZ 18042 */ - { WRDE_SYNTAX, NULL, "${", 0, 0, { NULL, }, IFS }, /* BZ 18043 */ + { WRDE_SYNTAX, NULL, "`\\", 0, 0, { NULL, }, IFS }, /* BZ 18042 */ + { WRDE_SYNTAX, NULL, "${", 0, 0, { NULL, }, IFS }, /* BZ 18043 */ + { WRDE_SYNTAX, NULL, "L${a:", 0, 0, { NULL, }, IFS }, /* BZ 18043#c4 */ { -1, NULL, NULL, 0, 0, { NULL, }, IFS }, }; diff --git a/posix/wordexp.c b/posix/wordexp.c index ae4fd72b82..36b6fff0db 100644 --- a/posix/wordexp.c +++ b/posix/wordexp.c @@ -1343,7 +1343,8 @@ parse_param (char **word, size_t *word_length, size_t *max_length, break; case ':': - if (strchr ("-=?+", words[1 + *offset]) == NULL) + if (words[1 + *offset] == '\0' + || strchr ("-=?+", words[1 + *offset]) == NULL) goto syntax; colon_seen = 1; |