This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
- From: "konstantin.s.serebryany at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 09 Mar 2015 16:42:27 +0000
- Subject: [Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
- Auto-submitted: auto-generated
- References: <bug-18043-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=18043
Kostya Serebryany <konstantin.s.serebryany at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|FIXED |---
--- Comment #7 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---
(In reply to Paul Pluzhnikov from comment #6)
> Second case fixed.
I've tweaked the fuzzer a bit and it produced something else:
pattern: "${Ca+da}"
This time reproducible only on glibc trunk so I can't reproduce with valgrind.
Can you see it?
==22916==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6020001625f2 at pc 0x7f58e333187e bp 0x7fff8223fe90 sp 0x7fff8223fe88
READ of size 1 at 0x6020001625f2 thread T0
#0 0x7f58e333187d in parse_param posix/wordexp.c:1581:18
#1 0x7f58e333187d in parse_dollars posix/wordexp.c:2103
#2 0x7f58e33212ac in parse_glob posix/wordexp.c:490:12
#3 0x7f58e33212ac in wordexp posix/wordexp.c:2416
0x6020001625f2 is located 0 bytes to the right of 2-byte region
[0x6020001625f0,0x6020001625f2)
allocated by thread T0 here:
#0 0x4a1eab in malloc
#1 0x7f58e321a546 in __add_to_environ stdlib/setenv.c:202
#2 0x7f58e332d8c3 in parse_param posix/wordexp.c:1916:4
#3 0x7f58e332d8c3 in parse_dollars posix/wordexp.c:2103
#4 0x7f58e332102b in wordexp posix/wordexp.c:2348:10
--
You are receiving this mail because:
You are on the CC list for the bug.