This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
- From: "ppluzhnikov at google dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 09 Mar 2015 19:22:24 +0000
- Subject: [Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
- Auto-submitted: auto-generated
- References: <bug-18043-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=18043
--- Comment #15 from Paul Pluzhnikov <ppluzhnikov at google dot com> ---
(In reply to Kostya Serebryany from comment #14)
> same happens with
> setenv("Ca", "", 1);
This one is not reproducing for me with either 2.19 or trunk.
OTOH, with test from comment #13, both from glibc-2.19 and trunk give me two
separate overflows:
==3325== Invalid read of size 1
==3325== at 0x48EBF9E: parse_dollars (/glibc-git/posix/wordexp.c:1573)
==3325== by 0x48ED3CA: wordexp (/glibc-git/posix/wordexp.c:2352)
==3325== by 0x400613: main (/tmp/t.c:8)
==3325== Address 0x4bb62d3 is 0 bytes after a block of size 3 alloc'd
==3325== at 0x480B7C4: malloc
(valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:270)
==3325== by 0x484A6F6: __add_to_environ (/glibc-git/stdlib/setenv.c:202)
==3325== by 0x480F4BF: setenv (valgrind/memcheck/mc_replace_strmem.c:1643)
==3325== by 0x4005ED: main (/tmp/t.c:5)
==3325==
==3325== Invalid read of size 1
==3325== at 0x48EBD15: parse_dollars (/glibc-git/posix/wordexp.c:1897)
==3325== by 0x48ED3CA: wordexp (/glibc-git/posix/wordexp.c:2352)
==3325== by 0x400613: main (/tmp/t.c:8)
==3325== Address 0x4bb62d3 is 0 bytes after a block of size 3 alloc'd
==3325== at 0x480B7C4: malloc
(valgrind/coregrind/m_replacemalloc/vg_replace_malloc.c:270)
==3325== by 0x484A6F6: __add_to_environ (/glibc-git/stdlib/setenv.c:202)
==3325== by 0x480F4BF: setenv (valgrind/memcheck/mc_replace_strmem.c:1643)
==3325== by 0x4005ED: main (/tmp/t.c:5)
Thanks for the test!
--
You are receiving this mail because:
You are on the CC list for the bug.