From patchwork Sat Feb 28 02:47:20 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Paul Pluzhnikov <ppluzhnikov@gmail.com>
X-Patchwork-Id: 5357
Received: (qmail 122001 invoked by alias); 28 Feb 2015 02:47:53 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 121977 invoked by uid 89); 28 Feb 2015 02:47:53 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=1.2 required=5.0 tests=AWL, BAYES_00,
	FREEMAIL_FROM, KAM_FROM_URIBL_PCCC, RCVD_IN_DNSWL_LOW,
	SPF_PASS, T_RP_MATCHES_RCVD autolearn=no version=3.3.2
X-HELO: mail-oi0-f41.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:mime-version:sender:from:date:message-id:subject
	:to:content-type;
	bh=CCgVXS4GnmageN1FUVtKlbbzfXe7qTL5Lqomw1yn/Zs=;
	b=ATOH6Js/M5V99tTlPocfCLUuajdXucOiL20mfoVLQRtOFetsPHhhdqr2diDiBtSNvU
	zLMwZ1msO6yLWRovz8+5Kli0+23u8hYkbvcfH8fHn4tGt+Ce+RA1VU3TYIMwsgzvC8b9
	p55TqTYyBTpA+ss4COMa6x1gyJAvlC0u4mNX5sSK7FJ62/VTVbJRj/gKpCjyTjqjSYtK
	lWg2/TWMqLRmmQLxuNmNHRPT3Fvp7Sl/o1XFm7XsfetkCeT34xv7NCkCUuC2ynONA5ff
	lsD5ssERB4GBHaH8YNbZU/fGh8cjbpFLhzN3RJYXs5IYR0d2oPUSYV/zrWVXt3NOvZqo
	odDg==
X-Gm-Message-State: 
 ALoCoQlUmpfIWnW4097XsHL54lX4OFSfO/5YO6+dtxJe4ZHtOrSAYKcwCPjksthAY6igiGANjwE/
X-Received: by 10.182.76.69 with SMTP id i5mr12227372obw.19.1425091670296;
	Fri, 27 Feb 2015 18:47:50 -0800 (PST)
MIME-Version: 1.0
From: Paul Pluzhnikov <ppluzhnikov@gmail.com>
Date: Fri, 27 Feb 2015 18:47:20 -0800
Message-ID: 
 <CALoOobMubkj2ikTiz+H0vKcYLUnLK=o-redAo27HOrwcGfeDRg@mail.gmail.com>
Subject: [patch] Fix for BZ #18043 buffer-overflow (read past the end) in
	wordexp/parse_dollars/parse_param
To: GLIBC Devel <libc-alpha@sourceware.org>

Greetings,

Attached patch fixes BZ #18043.

TIL: strchr("abc", '\0') != NULL and that is apparently well defined.


2015-02-27  Paul Pluzhnikov  <ppluzhnikov@google.com>

        [BZ #18043]
        * posix/wordexp.c (parse_param): Fix buffer overflow.
        * posix/wordexp-test.c: Add test case.

diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
index 8a312e0..7690360 100644
--- a/posix/wordexp-test.c
+++ b/posix/wordexp-test.c
@@ -232,6 +232,9 @@ struct test_case_struct
     { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
     { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS },
 
+    /* BZ # 18043 */
+    { WRDE_SYNTAX, NULL, "${", 0, 0, { NULL, }, IFS },
+
     { -1, NULL, NULL, 0, 0, { NULL, }, IFS },
   };
 
diff --git a/posix/wordexp.c b/posix/wordexp.c
index e3d8d6b..1c14401 100644
--- a/posix/wordexp.c
+++ b/posix/wordexp.c
@@ -1299,7 +1299,7 @@ parse_param (char **word, size_t *word_length, size_t *max_length,
 	}
       while (isdigit(words[++*offset]));
     }
-  else if (strchr ("*@$", words[*offset]) != NULL)
+  else if (words[*offset] != '\0' && strchr ("*@$", words[*offset]) != NULL)
     {
       /* Special parameter. */
       special = 1;