Fix for BZ 18042 buffer-overflow (read past the end) in wordexp/parse_backtick/parse_backslash
Commit Message
Greetings,
parse_backslash() expects to be looking *at* backslash, not past it.
2015-02-27 Paul Pluzhnikov <ppluzhnikov@google.com>
[BZ #18042]
* posix/wordexp.c (parse_backtick): Fix off-by-one.
* posix/wordexp-test.c: Add test.
Comments
On 02/27/2015 11:49 PM, Paul Pluzhnikov wrote:
> Greetings,
>
> parse_backslash() expects to be looking *at* backslash, not past it.
>
>
> 2015-02-27 Paul Pluzhnikov <ppluzhnikov@google.com>
>
> [BZ #18042]
> * posix/wordexp.c (parse_backtick): Fix off-by-one.
> * posix/wordexp-test.c: Add test.
>
Agreed. Looks good to me. Thanks for the fix and test.
OK to commit as long as test fails before and passes after
on at least x86_64.
Cheers,
Carlos.
On Thu, Mar 5, 2015 at 11:55 AM, Carlos O'Donell <carlos@redhat.com> wrote:
> OK to commit as long as test fails before and passes after
> on at least x86_64.
After https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=36103ba2f5db530bff24896dfc9076955fba3b5f
the test does fail before and pass after the fix. No new failures.
Committed as f8ba70e9f8ad2707951882c535ea27909d8d762d
Thanks,
@@ -232,6 +232,9 @@ struct test_case_struct
{ WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
{ WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS },
+ /* BZ 18042 */
+ { WRDE_SYNTAX, NULL, "`\\", 0, 0, { NULL, }, IFS },
+
{ -1, NULL, NULL, 0, 0, { NULL, }, IFS },
};
@@ -2143,7 +2143,6 @@ parse_backtick (char **word, size_t *word_length, size_t *max_length,
break;
}
- ++(*offset);
error = parse_backslash (&comm, &comm_length, &comm_maxlen, words,
offset);