Found by oss-fuzz Quick reproducer is : ``` #include <wordexp.h> int main() { wordexp_t p; int ret = wordexp("\"data:888888888888888888888888888888e},},${8888888888888##sioiondata:ap gi37 },},{8888888888SSSSSSSSSSSSSS88883********888888888888888888888888888888e},},{8888888888888 ##sioiondata:ap gi37 TTTT05T98TTTT047798T\xff\xff\xff\xd1\xff\xff\xff\ xb1TTTTT9TT//////// /Y/ 80371588u40)2961kata:888##sioiondata>ap )", &p, 0); return ret; } ``` Stack trace is ``` ==797==ERROR: AddressSanitizer: SEGV on unknown address 0x7ff8ed1c2b28 (pc 0x7f11b008eee0 bp 0x616000001880 sp 0x7ffc14979fa0 T0) ==797==The signal is caused by a READ memory access. SCARINESS: 20 (wild-addr-read) #0 0x7f11b008eee0 in parse_param /build/glibc-e6zv40/glibc-2.23/posix/wordexp.c:1466 #1 0x7f11b008eee0 in parse_dollars /build/glibc-e6zv40/glibc-2.23/posix/wordexp.c:2112 #2 0x7f11b0090ed7 in parse_dquote /build/glibc-e6zv40/glibc-2.23/posix/wordexp.c:2198 #3 0x7f11b0090ed7 in wordexp /build/glibc-e6zv40/glibc-2.23/posix/wordexp.c:2379 ```
Fixed in 2.34.
Thanks Andreas
The fix: From: Andreas Schwab <schwab@linux-m68k.org> Date: Fri, 25 Jun 2021 13:02:47 +0000 (+0200) Subject: wordexp: handle overflow in positional parameter number (bug 28011) X-Git-Url: https://sourceware.org/git/?p=glibc.git;a=commitdiff_plain;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c wordexp: handle overflow in positional parameter number (bug 28011) Use strtoul instead of atoi so that overflow can be detected.