#include <wordexp.h> int main() { wordexp_t w; wordexp("*??\\\\/::${#r-}", &w, 0); } gcc we12.c && ./a.out a.out: wordexp.c:1937: parse_param: Assertion `value != ((void *)0)' failed. Aborted (core dumped) 2.19 and fresh trunk are affected. Same fuzzer, see https://sourceware.org/glibc/wiki/FuzzingLibc
Reachable even with WRDE_NOCMD, so this is a security issue in builds with asserts enabled (which we support).
I am not sure if we should fix that by removing that assert or refactoring code. That assertion is false because we do following: value = pattern ? __strdup (pattern) : pattern; free_value = 1;
(In reply to Florian Weimer from comment #1) > Reachable even with WRDE_NOCMD, so this is a security issue in builds with > asserts enabled (which we support). This is incorrect because wordexp is inherently DoS-prone with crafted patterns.