From patchwork Mon Mar  9 14:28:08 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Paul Pluzhnikov <ppluzhnikov@gmail.com>
X-Patchwork-Id: 448036
Return-Path: 
 <libc-alpha-return-57785-incoming=patchwork.ozlabs.org@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from sourceware.org (server1.sourceware.org [209.132.180.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 6878514011D
	for <incoming@patchwork.ozlabs.org>;
	Tue, 10 Mar 2015 01:28:59 +1100 (AEDT)
Authentication-Results: ozlabs.org; dkim=pass
	reason="1024-bit key; unprotected key"
	header.d=sourceware.org header.i=@sourceware.org header.b=uO06If7F;
	dkim-adsp=none (unprotected policy); dkim-atps=neutral
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:from:date:message-id:subject:to
	:content-type; q=dns; s=default; b=LYuqqrBa59SLzMZgGxE+KrCqWl2/e
	hmCQSM5drG4gn9HFEx8LC58mhrdldWfO4/hq1FInvY+gn9lH6NDzBv/rU/WEmKw7
	BWiI54f475u55iRa+XdrXgN0NjzLyNnXrmegAwiSVxcoCi3bonp/zYscnM3QVwcW
	8NWNP2eZdiQOrM=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:from:date:message-id:subject:to
	:content-type; s=default; bh=hgm9OOWCloC/bWfVYEP+uyy8iQI=; b=uO0
	6If7FPMwa/hmXktpeM8RytXFzv4kwCpT9HK21TUFah24uVzd1xpnhb4bC5AUuePo
	Fj6lf7zauNze+A9gKSHjAdMVOFguujsCc5gy5I0JVuMZp+dcbRhlPfID2GzxHhmg
	EPziP6bLK14fvE9EmBhrsGdhVjtbkI1UjOV6i0Nk=
Received: (qmail 104123 invoked by alias); 9 Mar 2015 14:28:52 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: 
 <mailto:libc-alpha-unsubscribe-incoming=patchwork.ozlabs.org@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 104114 invoked by uid 89); 9 Mar 2015 14:28:51 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=1.5 required=5.0 tests=AWL, BAYES_00,
	FREEMAIL_FROM, KAM_FROM_URIBL_PCCC, RCVD_IN_DNSWL_LOW,
	SPF_PASS, T_RP_MATCHES_RCVD autolearn=no version=3.3.2
X-HELO: mail-ob0-f177.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:mime-version:sender:from:date:message-id:subject
	:to:content-type;
	bh=wrLbT5PloRfH55x/dBOwGLJp5AWGcPoWnyajfiQvO+Y=;
	b=L2PFv1Ea5JNAIqB9KtDenhtC2RDw32/zIbynpetc5SYCBXyb1lKFSLOk+q3hKfJx4B
	YlJ4pqlJpPud46NAXJuHDvZxcIJD6b+AtJJN2+J44rWF9AdxCqG8Sdt+LHyo2PurjJT6
	upOwgwH+tJeXKi+hPXYkH0gV2aXjU3g37U0KG4A3zD43eUERIZsw+kDyT4+AMzob9lXX
	RIn7tWrFMqaT+W8QV8MPhmEnXzirm9FJX0dABH8KZmrRAO/rP9Ixwj+6WB+hhpK5PKVD
	FHrrsWbTiJyDito2nE+J/iv4aaTJJPX12i19dxytpLIbyKKlw6KJX5RVwDsYTVfOxoxf
	NzyA==
X-Gm-Message-State: 
 ALoCoQkfkHfia2J33T8e1ZcmfKy8bj9fIM7JeaCY+Vpe8r1krZrLn7o4r23ktxroMQv99ivLa3rn
X-Received: by 10.202.203.78 with SMTP id b75mr20612167oig.27.1425911319570;
	Mon, 09 Mar 2015 07:28:39 -0700 (PDT)
MIME-Version: 1.0
From: Paul Pluzhnikov <ppluzhnikov@gmail.com>
Date: Mon, 9 Mar 2015 07:28:08 -0700
Message-ID: 
 <CALoOobM_bLg9CtR5vF+nfnhVtoZhKKo8extbCwAwmkNAPOSVLg@mail.gmail.com>
Subject: [patch][committed] Fix second instance of BZ #18043
To: GLIBC Devel <libc-alpha@sourceware.org>

Greetings,

I've committed the patch below as obvious.

2015-03-09  Paul Pluzhnikov  <ppluzhnikov@google.com>

       [BZ #18043]
       * posix/wordexp.c (parse_param): Fix buffer overflow.
       * posix/wordexp-test.c (test_case): Add test case.

diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
index 845407e..0a353a4 100644
--- a/posix/wordexp-test.c
+++ b/posix/wordexp-test.c
@@ -234,8 +234,9 @@ struct test_case_struct
     { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
     { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS },
 
-    { WRDE_SYNTAX, NULL, "`\\", 0, 0, { NULL, }, IFS },  /* BZ 18042  */
-    { WRDE_SYNTAX, NULL, "${", 0, 0, { NULL, }, IFS },   /* BZ 18043  */
+    { WRDE_SYNTAX, NULL, "`\\", 0, 0, { NULL, }, IFS },     /* BZ 18042  */
+    { WRDE_SYNTAX, NULL, "${", 0, 0, { NULL, }, IFS },      /* BZ 18043  */
+    { WRDE_SYNTAX, NULL, "L${a:", 0, 0, { NULL, }, IFS },   /* BZ 18043#c4  */
 
     { -1, NULL, NULL, 0, 0, { NULL, }, IFS },
   };
diff --git a/posix/wordexp.c b/posix/wordexp.c
index ae4fd72..36b6fff 100644
--- a/posix/wordexp.c
+++ b/posix/wordexp.c
@@ -1343,7 +1343,8 @@ parse_param (char **word, size_t *word_length, size_t *max_length,
 	  break;
 
 	case ':':
-	  if (strchr ("-=?+", words[1 + *offset]) == NULL)
+	  if (words[1 + *offset] == '\0'
+	      || strchr ("-=?+", words[1 + *offset]) == NULL)
 	    goto syntax;
 
 	  colon_seen = 1;