From 5f85a4bf9460b953a35f2beae54acaa8c1310a29 Mon Sep 17 00:00:00 2001
From: Paul Pluzhnikov <ppluzhnikov@google.com>
Date: Mon, 9 Mar 2015 07:22:36 -0700
Subject: Fix BZ #18043 (c4): buffer-overflow (read past the end) in
 wordexp/parse_dollars/parse_param

---
 posix/wordexp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'posix/wordexp.c')

diff --git a/posix/wordexp.c b/posix/wordexp.c
index ae4fd72b82..36b6fff0db 100644
--- a/posix/wordexp.c
+++ b/posix/wordexp.c
@@ -1343,7 +1343,8 @@ parse_param (char **word, size_t *word_length, size_t *max_length,
 	  break;
 
 	case ':':
-	  if (strchr ("-=?+", words[1 + *offset]) == NULL)
+	  if (words[1 + *offset] == '\0'
+	      || strchr ("-=?+", words[1 + *offset]) == NULL)
 	    goto syntax;
 
 	  colon_seen = 1;
-- 
cgit v1.2.3