wordexp: handle overflow in positional parameter number (bug 28011)

Message ID 87pmwaypwz.fsf@igel.home
State New
Headers show
Series
  • wordexp: handle overflow in positional parameter number (bug 28011)
Related show

Commit Message

Andreas Schwab June 25, 2021, 2:33 p.m.
Use strtoul instead of atoi so that overflow can be detected.
---
 posix/wordexp-test.c | 1 +
 posix/wordexp.c      | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

-- 
2.32.0


-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
"And now for something completely different."

Comments

Florian Weimer via Libc-alpha June 27, 2021, 3:41 p.m. | #1
* Andreas Schwab:

> Use strtoul instead of atoi so that overflow can be detected.

> ---

>  posix/wordexp-test.c | 1 +

>  posix/wordexp.c      | 2 +-

>  2 files changed, 2 insertions(+), 1 deletion(-)

>

> diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c

> index f93a546d7e..9df02dbbb3 100644

> --- a/posix/wordexp-test.c

> +++ b/posix/wordexp-test.c

> @@ -183,6 +183,7 @@ struct test_case_struct

>      { 0, NULL, "$var", 0, 0, { NULL, }, IFS },

>      { 0, NULL, "\"\\n\"", 0, 1, { "\\n", }, IFS },

>      { 0, NULL, "", 0, 0, { NULL, }, IFS },

> +    { 0, NULL, "${1234567890123456789012}", 0, 0, { NULL, }, IFS },

>  

>      /* Flags not already covered (testit() has special handling for these) */

>      { 0, NULL, "one two", WRDE_DOOFFS, 2, { "one", "two", }, IFS },

> diff --git a/posix/wordexp.c b/posix/wordexp.c

> index bcbe96e48d..1f3b09f721 100644

> --- a/posix/wordexp.c

> +++ b/posix/wordexp.c

> @@ -1399,7 +1399,7 @@ envsubst:

>    /* Is it a numeric parameter? */

>    else if (isdigit (env[0]))

>      {

> -      int n = atoi (env);

> +      unsigned long n = strtoul (env, NULL, 10);

>  

>        if (n >= __libc_argc)

>  	/* Substitute NULL. */


Looks reasonable.  The issue is that n as computed happens to be
negative, right?

Thanks,
Florian
Andreas Schwab June 27, 2021, 5:08 p.m. | #2
On Jun 27 2021, Florian Weimer wrote:

> Looks reasonable.  The issue is that n as computed happens to be

> negative, right?


Yes.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
"And now for something completely different."

Patch

diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
index f93a546d7e..9df02dbbb3 100644
--- a/posix/wordexp-test.c
+++ b/posix/wordexp-test.c
@@ -183,6 +183,7 @@  struct test_case_struct
     { 0, NULL, "$var", 0, 0, { NULL, }, IFS },
     { 0, NULL, "\"\\n\"", 0, 1, { "\\n", }, IFS },
     { 0, NULL, "", 0, 0, { NULL, }, IFS },
+    { 0, NULL, "${1234567890123456789012}", 0, 0, { NULL, }, IFS },
 
     /* Flags not already covered (testit() has special handling for these) */
     { 0, NULL, "one two", WRDE_DOOFFS, 2, { "one", "two", }, IFS },
diff --git a/posix/wordexp.c b/posix/wordexp.c
index bcbe96e48d..1f3b09f721 100644
--- a/posix/wordexp.c
+++ b/posix/wordexp.c
@@ -1399,7 +1399,7 @@  envsubst:
   /* Is it a numeric parameter? */
   else if (isdigit (env[0]))
     {
-      int n = atoi (env);
+      unsigned long n = strtoul (env, NULL, 10);
 
       if (n >= __libc_argc)
 	/* Substitute NULL. */