From: Julian Squires <julian@cipht.net>
To: libc-alpha@sourceware.org
Cc: Julian Squires <julian@cipht.net>
Subject: [PATCH] posix: Fix some null deferences in wordexp [BZ #18096]
Date: Sat, 18 Mar 2023 10:29:50 -0230 [thread overview]
Message-ID: <20230318125950.3611824-1-julian@cipht.net> (raw)
Without these fixes, the first three included tests segfault (on a
NULL dereference); the third aborts on an assertion.
Signed-off-by: Julian Squires <julian@cipht.net>
---
I wasn't aware of the long-languishing issue in Bugzilla before
starting this, which largely includes the same changes, but perhaps
supplying this with test cases will help it be adopted. Despite the
security exception for wordexp, it still seems reasonable not to crash
in these cases.
posix/wordexp-test.c | 4 ++++
posix/wordexp.c | 12 ++++++------
2 files changed, 10 insertions(+), 6 deletions(-)
diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
index f7a591149b..bae27d6cee 100644
--- a/posix/wordexp-test.c
+++ b/posix/wordexp-test.c
@@ -117,6 +117,8 @@ struct test_case_struct
{ 0, NULL, "$((010+0x10))", 0, 1, { "24" }, IFS },
{ 0, NULL, "$((-010+0x10))", 0, 1, { "8" }, IFS },
{ 0, NULL, "$((-0x10+010))", 0, 1, { "-8" }, IFS },
+ { 0, NULL, "$(())", 0, 1, { "0", }, IFS },
+ { 0, NULL, "$[]", 0, 1, { "0", }, IFS },
/* Advanced parameter expansion */
{ 0, NULL, "${var:-bar}", 0, 1, { "bar", }, IFS },
@@ -138,6 +140,8 @@ struct test_case_struct
{ 0, "12345", "${#var}", 0, 1, { "5", }, IFS },
{ 0, NULL, "${var:-'}'}", 0, 1, { "}", }, IFS },
{ 0, NULL, "${var-}", 0, 0, { NULL }, IFS },
+ { 0, NULL, "${a?}", 0, 0, { NULL, }, IFS },
+ { 0, NULL, "${#a=}", 0, 1, { "0", }, IFS },
{ 0, "pizza", "${var#${var}}", 0, 0, { NULL }, IFS },
{ 0, "pepperoni", "${var%$(echo oni)}", 0, 1, { "pepper" }, IFS },
diff --git a/posix/wordexp.c b/posix/wordexp.c
index 0da98f5b08..287bb05feb 100644
--- a/posix/wordexp.c
+++ b/posix/wordexp.c
@@ -720,7 +720,7 @@ parse_arith (char **word, size_t *word_length, size_t *max_length,
++(*offset);
/* Go - evaluate. */
- if (*expr && eval_expr (expr, &numresult) != 0)
+ if (expr && eval_expr (expr, &numresult) != 0)
{
free (expr);
return WRDE_SYNTAX;
@@ -758,7 +758,7 @@ parse_arith (char **word, size_t *word_length, size_t *max_length,
long int numresult = 0;
/* Go - evaluate. */
- if (*expr && eval_expr (expr, &numresult) != 0)
+ if (expr && eval_expr (expr, &numresult) != 0)
{
free (expr);
return WRDE_SYNTAX;
@@ -1790,7 +1790,7 @@ envsubst:
{
const char *str = pattern;
- if (str[0] == '\0')
+ if (!str || str[0] == '\0')
str = _("parameter null or not set");
__fxprintf (NULL, "%s: %s\n", env, str);
@@ -1813,7 +1813,7 @@ envsubst:
goto success;
value = pattern ? __strdup (pattern) : pattern;
- free_value = 1;
+ free_value = !!pattern;
if (pattern && !value)
goto no_space;
@@ -1827,7 +1827,7 @@ envsubst:
free (value);
value = pattern ? __strdup (pattern) : pattern;
- free_value = 1;
+ free_value = !!pattern;
if (pattern && !value)
goto no_space;
@@ -1857,7 +1857,7 @@ envsubst:
free (value);
value = pattern ? __strdup (pattern) : pattern;
- free_value = 1;
+ free_value = !!pattern;
if (pattern && !value)
goto no_space;
--
2.39.2
next reply other threads:[~2023-03-18 13:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-18 12:59 Julian Squires [this message]
2023-03-18 15:10 ` Andreas Schwab
2023-03-19 13:49 ` Julian Squires
2023-03-19 14:16 ` Andreas Schwab
2023-03-22 16:39 ` [PATCH v2] posix: Fix some crashes " Julian Squires
2023-03-28 13:09 ` Adhemerval Zanella Netto
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230318125950.3611824-1-julian@cipht.net \
--to=julian@cipht.net \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).