This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug libc/18043] buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param


https://sourceware.org/bugzilla/show_bug.cgi?id=18043

--- Comment #13 from Kostya Serebryany <konstantin.s.serebryany at gmail dot com> ---
here it is: 

#include <wordexp.h>
#include <string.h>
#include <unistd.h>
int main() {
  setenv("Ca", NULL, 1);
  char *p = strdup("${Ca=}");
  wordexp_t w;
  wordexp(p, &w, 0);
}


==15178== Invalid read of size 1
==15178==    at 0x4F1DC84: parse_param (wordexp.c:1570)
==15178==    by 0x4F1DC84: parse_dollars (wordexp.c:2102)
==15178==    by 0x4F1FFEB: wordexp (wordexp.c:2348)
==15178==    by 0x400613: main
==15178==  Address 0x51fb043 is 0 bytes after a block of size 3 alloc'd
==15178==    at 0x4C2ABBD: malloc (vg_replace_malloc.c:296)
==15178==    by 0x4E71DEC: __add_to_environ (setenv.c:267)
==15178==    by 0x4C321FF: setenv (vg_replace_strmem.c:1844)
==15178==    by 0x4005ED: main


In my fuzzer one of the runs of wordexp is setting the env var to NULL
and then the other iteration tries to read that env. var.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]