[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

["ppluzhnikov at google dot com" <sourceware-bugzilla at sourceware dot org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=18043

--- Comment #15 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
(In reply to Kostya Serebryany from comment #14)
> same happens with 
>   setenv("Ca", "", 1);

This one is not reproducing for me with either 2.19 or trunk.

OTOH, with test from comment #13, both from glibc-2.19 and trunk give me two
separate overflows:

==3325== Invalid read of size 1
==3325==    at 0x48EBF9E: parse_dollars (/glibc-git/posix/wordexp.c:1573)
==3325==    by 0x48ED3CA: wordexp (/glibc-git/posix/wordexp.c:2352)
==3325==    by 0x400613: main (/tmp/t.c:8)
==3325==  Address 0x4bb62d3 is 0 bytes after a block of size 3 alloc'd
==3325==    at 0x480B7C4: malloc
(valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:270)
==3325==    by 0x484A6F6: __add_to_environ (/glibc-git/stdlib/setenv.c:202)
==3325==    by 0x480F4BF: setenv (valgrind/memcheck/mc_replace_strmem.c:1643)
==3325==    by 0x4005ED: main (/tmp/t.c:5)
==3325==
==3325== Invalid read of size 1
==3325==    at 0x48EBD15: parse_dollars (/glibc-git/posix/wordexp.c:1897)
==3325==    by 0x48ED3CA: wordexp (/glibc-git/posix/wordexp.c:2352)
==3325==    by 0x400613: main (/tmp/t.c:8)
==3325==  Address 0x4bb62d3 is 0 bytes after a block of size 3 alloc'd
==3325==    at 0x480B7C4: malloc
(valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:270)
==3325==    by 0x484A6F6: __add_to_environ (/glibc-git/stdlib/setenv.c:202)
==3325==    by 0x480F4BF: setenv (valgrind/memcheck/mc_replace_strmem.c:1643)
==3325==    by 0x4005ED: main (/tmp/t.c:5)

Thanks for the test!

-- 
You are receiving this mail because:
You are on the CC list for the bug.