This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
- From: "konstantin.s.serebryany at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 09 Mar 2015 06:21:24 +0000
- Subject: [Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
- Auto-submitted: auto-generated
- References: <bug-18043-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=18043
Kostya Serebryany <konstantin.s.serebryany at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---
--- Comment #4 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---
Thanks for the fix. There is one more, very similar looking bug,
but it still reproduces after your fix.
#include <wordexp.h>
#include <string.h>
int main() {
char *p = strdup("L${a:");
wordexp_t w;
wordexp(p, &w, 0);
}
==26576== Invalid read of size 1
==26576== at 0x4F1DEB4: parse_param (wordexp.c:1366)
==26576== by 0x4F1DEB4: parse_dollars (wordexp.c:2102)
==26576== by 0x4F1FFEB: wordexp (wordexp.c:2348)
==26576== by 0x4005AA: main (we4.c:6)
==26576== Address 0x51fb046 is 0 bytes after a block of size 6 alloc'd
==26576== at 0x4C2ABBD: malloc (vg_replace_malloc.c:296)
==26576== by 0x4EBE839: strdup (strdup.c:42)
==26576== by 0x40058E: main (we4.c:4)
==26576==
(reopening this bug instead of creating a new one for simplicity)
--
You are receiving this mail because:
You are on the CC list for the bug.