From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <glibc-bugs-return-27780-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Received: (qmail 114371 invoked by alias); 9 Mar 2015 06:21:28 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Received: (qmail 114337 invoked by uid 48); 9 Mar 2015 06:21:25 -0000
From: "konstantin.s.serebryany at gmail dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
Date: Mon, 09 Mar 2015 06:21:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: libc
X-Bugzilla-Version: 2.21
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: konstantin.s.serebryany at gmail dot com
X-Bugzilla-Status: REOPENED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: ppluzhnikov at google dot com
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security+
X-Bugzilla-Changed-Fields: bug_status resolution
Message-ID: <bug-18043-131-tgOTULi7L6@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-18043-131@http.sourceware.org/bugzilla/>
References: <bug-18043-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-03/txt/msg00073.txt.bz2

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

Kostya Serebryany <konstantin.s.serebryany at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |---

--- Comment #4 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---
Thanks for the fix. There is one more, very similar looking bug, 
but it still reproduces after your fix. 

#include <wordexp.h>
#include <string.h>
int main() {
  char *p = strdup("L${a:");
  wordexp_t w;
  wordexp(p, &w, 0);
}

==26576== Invalid read of size 1
==26576==    at 0x4F1DEB4: parse_param (wordexp.c:1366)
==26576==    by 0x4F1DEB4: parse_dollars (wordexp.c:2102)
==26576==    by 0x4F1FFEB: wordexp (wordexp.c:2348)
==26576==    by 0x4005AA: main (we4.c:6)
==26576==  Address 0x51fb046 is 0 bytes after a block of size 6 alloc'd
==26576==    at 0x4C2ABBD: malloc (vg_replace_malloc.c:296)
==26576==    by 0x4EBE839: strdup (strdup.c:42)
==26576==    by 0x40058E: main (we4.c:4)
==26576== 

(reopening this bug instead of creating a new one for simplicity)

-- 
You are receiving this mail because:
You are on the CC list for the bug.