From patchwork Sat Feb 28 04:49:12 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Paul Pluzhnikov <ppluzhnikov@gmail.com>
X-Patchwork-Id: 5358
Received: (qmail 13929 invoked by alias); 28 Feb 2015 04:49:46 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 13913 invoked by uid 89); 28 Feb 2015 04:49:45 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=1.3 required=5.0 tests=AWL, BAYES_00,
	FREEMAIL_FROM, KAM_FROM_URIBL_PCCC, RCVD_IN_DNSWL_LOW,
	SPF_PASS, T_RP_MATCHES_RCVD autolearn=no version=3.3.2
X-HELO: mail-ob0-f177.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:mime-version:sender:from:date:message-id:subject
	:to:content-type;
	bh=hPm8sn1x18YZM84Ffm0IUi/zhTDgwf8g1hBYBeSnZe4=;
	b=FeTF+baCngBRM74BWalB8utAhbFb8NI3f2dnmzMOIRrjhVtX5uYy1OWvWQembjGlkO
	JC7Is09e2gbgMN52u9mdb+TCUI4P1QS4U5BfbUTg2aKpEjB1uMn5SLaF8JBYF7XWvhqC
	qTOo2gvjbPnj9rHOwZCqNw+kaydXX502mgyAiFpdPDaUk3Kt8Q0MsZQYHXmGeQDnY6QE
	JZ7030vu2QHIwEDoMUMYREX0nBfPo0bduW+0sWCEDCT8ssw0DPSewhxpC8O8wrJyD0+/
	W0E+nWCz9LVyiTI8EYdd7+jm4s7oLKxjfroqe3vjwMa0Az4hCtU2chfC5fCaO6RreoQ9
	zAng==
X-Gm-Message-State: 
 ALoCoQmtfMZAPHNHouMuFwKD+ano6cQzhmqGjoMtqErDe05zBitUkyQydw59aQdRyain9CgV1pQu
X-Received: by 10.182.138.71 with SMTP id qo7mr1615607obb.66.1425098982777;
	Fri, 27 Feb 2015 20:49:42 -0800 (PST)
MIME-Version: 1.0
From: Paul Pluzhnikov <ppluzhnikov@gmail.com>
Date: Fri, 27 Feb 2015 20:49:12 -0800
Message-ID: 
 <CALoOobOmyAj1Yu6ZoKzsGpJ2GcRJXLcZVauH6h7a=mPJxFZzKw@mail.gmail.com>
Subject: [patch] Fix for BZ 18042 buffer-overflow (read past the end) in
	wordexp/parse_backtick/parse_backslash
To: GLIBC Devel <libc-alpha@sourceware.org>

Greetings,

parse_backslash() expects to be looking *at* backslash, not past it.


2015-02-27  Paul Pluzhnikov  <ppluzhnikov@google.com>

        [BZ #18042]
        * posix/wordexp.c (parse_backtick): Fix off-by-one.
        * posix/wordexp-test.c: Add test.

diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
index 8a312e0..0647044 100644
--- a/posix/wordexp-test.c
+++ b/posix/wordexp-test.c
@@ -232,6 +232,9 @@ struct test_case_struct
     { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
     { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS },
 
+    /* BZ 18042 */
+    { WRDE_SYNTAX, NULL, "`\\", 0, 0, { NULL, }, IFS },
+
     { -1, NULL, NULL, 0, 0, { NULL, }, IFS },
   };
 
diff --git a/posix/wordexp.c b/posix/wordexp.c
index e3d8d6b..e75b92e 100644
--- a/posix/wordexp.c
+++ b/posix/wordexp.c
@@ -2143,7 +2143,6 @@ parse_backtick (char **word, size_t *word_length, size_t *max_length,
 	      break;
 	    }
 
-	  ++(*offset);
 	  error = parse_backslash (&comm, &comm_length, &comm_maxlen, words,
 				   offset);