Fix BZ #18043 (c4): buffer-overflow (read past the end) in wordexp/parse_dollars...

diff --git a/ChangeLog b/ChangeLog
index abb948f36f11b46ae6ef5fffad335a7954300b5a..a7bd5b743ca315cc5244b3f579862c01ef8ea8ae 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-03-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
+       [BZ #18043]
+       * posix/wordexp.c (parse_param): Fix buffer overflow.
+       * posix/wordexp-test.c (test_case): Add test case.
+
 2015-03-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
 
        [BZ #18042]

diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
index 845407e5372e15644c74af06b20f4f5b4f2ed0b2..0a353a45c3cb7ef6756ceaa6ae261d87c13bd2ec 100644 (file)
--- a/posix/wordexp-test.c
+++ b/posix/wordexp-test.c
@@ -234,8 +234,9 @@ struct test_case_struct
     { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
     { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS },
 
-    { WRDE_SYNTAX, NULL, "`\\", 0, 0, { NULL, }, IFS },  /* BZ 18042  */
-    { WRDE_SYNTAX, NULL, "${", 0, 0, { NULL, }, IFS },   /* BZ 18043  */
+    { WRDE_SYNTAX, NULL, "`\\", 0, 0, { NULL, }, IFS },     /* BZ 18042  */
+    { WRDE_SYNTAX, NULL, "${", 0, 0, { NULL, }, IFS },      /* BZ 18043  */
+    { WRDE_SYNTAX, NULL, "L${a:", 0, 0, { NULL, }, IFS },   /* BZ 18043#c4  */
 
     { -1, NULL, NULL, 0, 0, { NULL, }, IFS },
   };

diff --git a/posix/wordexp.c b/posix/wordexp.c
index ae4fd72b821fdf132031321215f47df2bcdded4f..36b6fff0dbf5111af519410e73f9328b8cdd1b27 100644 (file)
--- a/posix/wordexp.c
+++ b/posix/wordexp.c
@@ -1343,7 +1343,8 @@ parse_param (char **word, size_t *word_length, size_t *max_length,
          break;
 
        case ':':
-         if (strchr ("-=?+", words[1 + *offset]) == NULL)
+         if (words[1 + *offset] == '\0'
+             || strchr ("-=?+", words[1 + *offset]) == NULL)
            goto syntax;
 
          colon_seen = 1;