Fix BZ #18043 (c4): buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

2024-11-09 23:00:07 +00:00 · 2015-03-09 07:22:36 -07:00 · 2015-03-09 07:22:36 -07:00 · 5f85a4bf94
commit 5f85a4bf94
parent 95f386609f
3 changed files with 11 additions and 3 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
 2015-03-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
 	[BZ #18043]
 	* posix/wordexp.c (parse_param): Fix buffer overflow.
 	* posix/wordexp-test.c (test_case): Add test case.
 2015-03-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
 	[BZ #18042]
--- a/posix/wordexp-test.c
+++ b/posix/wordexp-test.c
@ -234,8 +234,9 @@ struct test_case_struct
    { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
    { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS },
-    { WRDE_SYNTAX, NULL, "`\\", 0, 0, { NULL, }, IFS },  /* BZ 18042  */
+    { WRDE_SYNTAX, NULL, "`\\", 0, 0, { NULL, }, IFS },     /* BZ 18042  */
-    { WRDE_SYNTAX, NULL, "${", 0, 0, { NULL, }, IFS },   /* BZ 18043  */
+    { WRDE_SYNTAX, NULL, "${", 0, 0, { NULL, }, IFS },      /* BZ 18043  */
    { WRDE_SYNTAX, NULL, "L${a:", 0, 0, { NULL, }, IFS },   /* BZ 18043#c4  */
    { -1, NULL, NULL, 0, 0, { NULL, }, IFS },
  };
--- a/posix/wordexp.c
+++ b/posix/wordexp.c
@ -1343,7 +1343,8 @@ parse_param (char **word, size_t *word_length, size_t *max_length,
 	  break;
 	case ':':
-	  if (strchr ("-=?+", words[1 + *offset]) == NULL)
+	  if (words[1 + *offset] == '\0'
 	      || strchr ("-=?+", words[1 + *offset]) == NULL)
 	    goto syntax;
 	  colon_seen = 1;