| From 5adda61f62b77384718b4c0d8336ade8f2b4b35c Mon Sep 17 00:00:00 2001 |
| From: Andreas Schwab <schwab@linux-m68k.org> |
| Date: Fri, 25 Jun 2021 15:02:47 +0200 |
| Subject: [PATCH] wordexp: handle overflow in positional parameter number (bug |
| 28011) |
| |
| Use strtoul instead of atoi so that overflow can be detected. |
| |
| Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c] |
| CVE: CVE-2021-35942 |
| Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com> |
| --- |
| posix/wordexp-test.c | 1 + |
| posix/wordexp.c | 2 +- |
| 2 files changed, 2 insertions(+), 1 deletion(-) |
| |
| diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c |
| index f93a546d7e..9df02dbbb3 100644 |
| --- a/posix/wordexp-test.c |
| +++ b/posix/wordexp-test.c |
| @@ -183,6 +183,7 @@ struct test_case_struct |
| { 0, NULL, "$var", 0, 0, { NULL, }, IFS }, |
| { 0, NULL, "\"\\n\"", 0, 1, { "\\n", }, IFS }, |
| { 0, NULL, "", 0, 0, { NULL, }, IFS }, |
| + { 0, NULL, "${1234567890123456789012}", 0, 0, { NULL, }, IFS }, |
| |
| /* Flags not already covered (testit() has special handling for these) */ |
| { 0, NULL, "one two", WRDE_DOOFFS, 2, { "one", "two", }, IFS }, |
| diff --git a/posix/wordexp.c b/posix/wordexp.c |
| index bcbe96e48d..1f3b09f721 100644 |
| --- a/posix/wordexp.c |
| +++ b/posix/wordexp.c |
| @@ -1399,7 +1399,7 @@ envsubst: |
| /* Is it a numeric parameter? */ |
| else if (isdigit (env[0])) |
| { |
| - int n = atoi (env); |
| + unsigned long n = strtoul (env, NULL, 10); |
| |
| if (n >= __libc_argc) |
| /* Substitute NULL. */ |
| -- |
| 2.17.1 |
| |