Fix BZ #18043 (c4): buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

author: Paul Pluzhnikov <ppluzhnikov@google.com> 2015-03-09 07:22:36 -0700
committer: Paul Pluzhnikov <ppluzhnikov@google.com> 2015-03-09 07:22:36 -0700
commit: 5f85a4bf9460b953a35f2beae54acaa8c1310a29 (patch)
tree: 912e656fd117c3cffcd58aed5a1e57b79527332c /posix
parent: 95f386609f378063b35e0c4ede8c2d2ceea91f51 (diff)
2 files changed, 5 insertions, 3 deletions
diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
index 845407e537..0a353a45c3 100644
--- a/posix/wordexp-test.c
+++ b/posix/wordexp-test.c
@@ -234,8 +234,9 @@ struct test_case_struct
     { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
     { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS },
 
-    { WRDE_SYNTAX, NULL, "`\\", 0, 0, { NULL, }, IFS },  /* BZ 18042  */
-    { WRDE_SYNTAX, NULL, "${", 0, 0, { NULL, }, IFS },   /* BZ 18043  */
+    { WRDE_SYNTAX, NULL, "`\\", 0, 0, { NULL, }, IFS },     /* BZ 18042  */
+    { WRDE_SYNTAX, NULL, "${", 0, 0, { NULL, }, IFS },      /* BZ 18043  */
+    { WRDE_SYNTAX, NULL, "L${a:", 0, 0, { NULL, }, IFS },   /* BZ 18043#c4  */
 
     { -1, NULL, NULL, 0, 0, { NULL, }, IFS },
   };
diff --git a/posix/wordexp.c b/posix/wordexp.c
index ae4fd72b82..36b6fff0db 100644
--- a/posix/wordexp.c
+++ b/posix/wordexp.c
@@ -1343,7 +1343,8 @@ parse_param (char **word, size_t *word_length, size_t *max_length,
 	  break;
 
 	case ':':
-	  if (strchr ("-=?+", words[1 + *offset]) == NULL)
+	  if (words[1 + *offset] == '\0'
+	      || strchr ("-=?+", words[1 + *offset]) == NULL)
 	    goto syntax;
 
 	  colon_seen = 1;
author	Paul Pluzhnikov <ppluzhnikov@google.com>	2015-03-09 07:22:36 -0700
committer	Paul Pluzhnikov <ppluzhnikov@google.com>	2015-03-09 07:22:36 -0700
commit	5f85a4bf9460b953a35f2beae54acaa8c1310a29 (patch)
tree	912e656fd117c3cffcd58aed5a1e57b79527332c /posix
parent	95f386609f378063b35e0c4ede8c2d2ceea91f51 (diff)