This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
- From: "konstantin.s.serebryany at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 09 Mar 2015 19:09:42 +0000
- Subject: [Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param
- Auto-submitted: auto-generated
- References: <bug-18043-131 at http dot sourceware dot org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=18043
--- Comment #13 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---
here it is:
#include <wordexp.h>
#include <string.h>
#include <unistd.h>
int main() {
setenv("Ca", NULL, 1);
char *p = strdup("${Ca=}");
wordexp_t w;
wordexp(p, &w, 0);
}
==15178== Invalid read of size 1
==15178== at 0x4F1DC84: parse_param (wordexp.c:1570)
==15178== by 0x4F1DC84: parse_dollars (wordexp.c:2102)
==15178== by 0x4F1FFEB: wordexp (wordexp.c:2348)
==15178== by 0x400613: main
==15178== Address 0x51fb043 is 0 bytes after a block of size 3 alloc'd
==15178== at 0x4C2ABBD: malloc (vg_replace_malloc.c:296)
==15178== by 0x4E71DEC: __add_to_environ (setenv.c:267)
==15178== by 0x4C321FF: setenv (vg_replace_strmem.c:1844)
==15178== by 0x4005ED: main
In my fuzzer one of the runs of wordexp is setting the env var to NULL
and then the other iteration tries to read that env. var.
--
You are receiving this mail because:
You are on the CC list for the bug.