Fix for BZ #18043 buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
Commit Message
Greetings,
Attached patch fixes BZ #18043.
TIL: strchr("abc", '\0') != NULL and that is apparently well defined.
2015-02-27 Paul Pluzhnikov <ppluzhnikov@google.com>
[BZ #18043]
* posix/wordexp.c (parse_param): Fix buffer overflow.
* posix/wordexp-test.c: Add test case.
Comments
On 02/27/2015 09:47 PM, Paul Pluzhnikov wrote:
> Greetings,
>
> Attached patch fixes BZ #18043.
>
> TIL: strchr("abc", '\0') != NULL and that is apparently well defined.
>
>
> 2015-02-27 Paul Pluzhnikov <ppluzhnikov@google.com>
>
> [BZ #18043]
> * posix/wordexp.c (parse_param): Fix buffer overflow.
> * posix/wordexp-test.c: Add test case.
>
Looks good to me. Thanks for fixing these and adding a test case.
OK to commit as long as you verified that test case fails before
and passes afterwards on at least x86_64.
Cheers,
Carlos.
@@ -232,6 +232,9 @@ struct test_case_struct
{ WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
{ WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS },
+ /* BZ # 18043 */
+ { WRDE_SYNTAX, NULL, "${", 0, 0, { NULL, }, IFS },
+
{ -1, NULL, NULL, 0, 0, { NULL, }, IFS },
};
@@ -1299,7 +1299,7 @@ parse_param (char **word, size_t *word_length, size_t *max_length,
}
while (isdigit(words[++*offset]));
}
- else if (strchr ("*@$", words[*offset]) != NULL)
+ else if (words[*offset] != '\0' && strchr ("*@$", words[*offset]) != NULL)
{
/* Special parameter. */
special = 1;