diff options
| author | Rich Felker <dalias@aerifal.cx> | 2013-11-22 15:48:24 -0500 |
|---|---|---|
| committer | Rich Felker <dalias@aerifal.cx> | 2013-11-22 15:48:24 -0500 |
| commit | 8253f59eae7bdb8b5a0f5b87212671564882d1f0 (patch) | |
| tree | f746ef5bf47a9aae9a7779af139222b85c111204 | |
| parent | d8f1908b821098f7a2ff03fbf6b152fe13023057 (diff) | |
| download | musl-8253f59eae7bdb8b5a0f5b87212671564882d1f0.tar.gz musl-8253f59eae7bdb8b5a0f5b87212671564882d1f0.tar.bz2 musl-8253f59eae7bdb8b5a0f5b87212671564882d1f0.tar.xz musl-8253f59eae7bdb8b5a0f5b87212671564882d1f0.zip | |
fix resource exhaustion and zero-word cases in wordexp
when WRDE_NOSPACE is returned, the we_wordv and we_wordc members must
be valid, because the interface contract allows them to return partial
results.
in the case of zero results (due either to resource exhaustion or a
zero-word input) the we_wordv array still should contain a terminating
null pointer and the initial we_offs null pointers. this is impossible
on resource exhaustion, so a correct application must presumably check
for a null pointer in we_wordv; POSIX however seems to ignore the
issue. the previous code may have crashed under this situation.
| -rw-r--r-- | src/misc/wordexp.c | 26 |
1 files changed, 18 insertions, 8 deletions
diff --git a/src/misc/wordexp.c b/src/misc/wordexp.c index 7a358686..8f0d42f5 100644 --- a/src/misc/wordexp.c +++ b/src/misc/wordexp.c @@ -82,20 +82,20 @@ static int do_wordexp(const char *s, wordexp_t *we, int flags) i = wc; if (flags & WRDE_DOOFFS) { if (we->we_offs > SIZE_MAX/sizeof(void *)/4) - return WRDE_NOSPACE; + goto nospace; i += we->we_offs; } else { we->we_offs = 0; } - if (pipe(p) < 0) return WRDE_NOSPACE; + if (pipe(p) < 0) goto nospace; __block_all_sigs(&set); pid = fork(); __restore_sigs(&set); if (pid < 0) { close(p[0]); close(p[1]); - return WRDE_NOSPACE; + goto nospace; } if (!pid) { dup2(p[1], 1); @@ -113,7 +113,7 @@ static int do_wordexp(const char *s, wordexp_t *we, int flags) close(p[0]); kill(pid, SIGKILL); waitpid(pid, &status, 0); - return WRDE_NOSPACE; + goto nospace; } l = wv ? i+1 : 0; @@ -142,14 +142,24 @@ static int do_wordexp(const char *s, wordexp_t *we, int flags) while ((waitpid(pid, &status, 0) < 0 && errno == EINTR) || !WIFEXITED(status)); + if (!wv) wv = calloc(i+1, sizeof *wv); + we->we_wordv = wv; we->we_wordc = i; - for (i=we->we_offs; i; i--) - we->we_wordv[i-1] = 0; - - if (flags & WRDE_DOOFFS) we->we_wordc -= we->we_offs; + if (flags & WRDE_DOOFFS) { + if (wv) for (i=we->we_offs; i; i--) + we->we_wordv[i-1] = 0; + we->we_wordc -= we->we_offs; + } return err; + +nospace: + if (!(flags & WRDE_APPEND)) { + we->we_wordc = 0; + we->we_wordv = 0; + } + return WRDE_NOSPACE; } int wordexp(const char *restrict s, wordexp_t *restrict we, int flags) |