From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 74691 invoked by alias); 9 Mar 2015 22:35:52 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Received: (qmail 74663 invoked by uid 48); 9 Mar 2015 22:35:48 -0000 From: "konstantin.s.serebryany at gmail dot com" To: glibc-bugs@sourceware.org Subject: [Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param Date: Mon, 09 Mar 2015 22:35:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Version: 2.21 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: konstantin.s.serebryany at gmail dot com X-Bugzilla-Status: REOPENED X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: ppluzhnikov at google dot com X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security+ X-Bugzilla-Changed-Fields: bug_status resolution Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-03/txt/msg00094.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=18043 Kostya Serebryany changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED |--- --- Comment #19 from Kostya Serebryany --- Ah, let's continue here if you don't mind. #include #include int main() { wordexp_t w1, w2; wordexp("${Ca=}", &w1, 0); wordexp("${Ca=}", &w2, 0); } ==11533== Invalid read of size 1 ==11533== at 0x4F1DC84: parse_param (wordexp.c:1570) ==11533== by 0x4F1DC84: parse_dollars (wordexp.c:2102) ==11533== by 0x4F1FFEB: wordexp (wordexp.c:2348) ==11533== Address 0x51fb4a3 is 0 bytes after a block of size 3 alloc'd ==11533== at 0x4C2ABBD: malloc (vg_replace_malloc.c:296) ==11533== by 0x4E71C59: __add_to_environ (setenv.c:193) ==11533== by 0x4C321FF: setenv (vg_replace_strmem.c:1844) ==11533== by 0x4F1F045: parse_param (wordexp.c:1915) ==11533== by 0x4F1F045: parse_dollars (wordexp.c:2102) ==11533== by 0x4F1FFEB: wordexp (wordexp.c:2348) ==11533== ==11533== Invalid read of size 1 ==11533== at 0x4F1DB39: parse_param (wordexp.c:1894) ==11533== by 0x4F1DB39: parse_dollars (wordexp.c:2102) ==11533== by 0x4F1FFEB: wordexp (wordexp.c:2348) ==11533== Address 0x51fb4a3 is 0 bytes after a block of size 3 alloc'd ==11533== at 0x4C2ABBD: malloc (vg_replace_malloc.c:296) ==11533== by 0x4E71C59: __add_to_environ (setenv.c:193) ==11533== by 0x4C321FF: setenv (vg_replace_strmem.c:1844) ==11533== by 0x4F1F045: parse_param (wordexp.c:1915) ==11533== by 0x4F1F045: parse_dollars (wordexp.c:2102) ==11533== by 0x4F1FFEB: wordexp (wordexp.c:2348) -- You are receiving this mail because: You are on the CC list for the bug.