Fix BZ #18043 (c4): buffer-overflow (read past the end) in wordexp/parse_dollars/parse_param

3 files changed, 11 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index abb948f36f..a7bd5b743c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
 2015-03-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
 
+	[BZ #18043]
+	* posix/wordexp.c (parse_param): Fix buffer overflow.
+	* posix/wordexp-test.c (test_case): Add test case.
+
+2015-03-09  Paul Pluzhnikov  <ppluzhnikov@google.com>
+
 	[BZ #18042]
 	* posix/wordexp.c (parse_backtick): Fix off-by-one.
 	* posix/wordexp-test.c (test_case): Add test for BZ #18042.
diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
index 845407e537..0a353a45c3 100644
--- a/posix/wordexp-test.c
+++ b/posix/wordexp-test.c
@@ -234,8 +234,9 @@ struct test_case_struct
     { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
     { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS },
 
-    { WRDE_SYNTAX, NULL, "`\\", 0, 0, { NULL, }, IFS },  /* BZ 18042  */
-    { WRDE_SYNTAX, NULL, "${", 0, 0, { NULL, }, IFS },   /* BZ 18043  */
+    { WRDE_SYNTAX, NULL, "`\\", 0, 0, { NULL, }, IFS },     /* BZ 18042  */
+    { WRDE_SYNTAX, NULL, "${", 0, 0, { NULL, }, IFS },      /* BZ 18043  */
+    { WRDE_SYNTAX, NULL, "L${a:", 0, 0, { NULL, }, IFS },   /* BZ 18043#c4  */
 
     { -1, NULL, NULL, 0, 0, { NULL, }, IFS },
   };
diff --git a/posix/wordexp.c b/posix/wordexp.c
index ae4fd72b82..36b6fff0db 100644
--- a/posix/wordexp.c
+++ b/posix/wordexp.c
@@ -1343,7 +1343,8 @@ parse_param (char **word, size_t *word_length, size_t *max_length,
 	  break;
 
 	case ':':
-	  if (strchr ("-=?+", words[1 + *offset]) == NULL)
+	  if (words[1 + *offset] == '\0'
+	      || strchr ("-=?+", words[1 + *offset]) == NULL)
 	    goto syntax;
 
 	  colon_seen = 1;