mirror of git://git.musl-libc.org/musl
fix resource exhaustion and zero-word cases in wordexp
when WRDE_NOSPACE is returned, the we_wordv and we_wordc members must be valid, because the interface contract allows them to return partial results. in the case of zero results (due either to resource exhaustion or a zero-word input) the we_wordv array still should contain a terminating null pointer and the initial we_offs null pointers. this is impossible on resource exhaustion, so a correct application must presumably check for a null pointer in we_wordv; POSIX however seems to ignore the issue. the previous code may have crashed under this situation.
This commit is contained in:
Rich Felker
parent
d8f1908b82
commit
8253f59eae
|
|
@ -82,20 +82,20 @@ static int do_wordexp(const char *s, wordexp_t *we, int flags)
|
||||||
i = wc;
|
i = wc;
|
||||||
if (flags & WRDE_DOOFFS) {
|
if (flags & WRDE_DOOFFS) {
|
||||||
if (we->we_offs > SIZE_MAX/sizeof(void *)/4)
|
if (we->we_offs > SIZE_MAX/sizeof(void *)/4)
|
||||||
return WRDE_NOSPACE;
|
goto nospace;
|
||||||
i += we->we_offs;
|
i += we->we_offs;
|
||||||
} else {
|
} else {
|
||||||
we->we_offs = 0;
|
we->we_offs = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (pipe(p) < 0) return WRDE_NOSPACE;
|
if (pipe(p) < 0) goto nospace;
|
||||||
__block_all_sigs(&set);
|
__block_all_sigs(&set);
|
||||||
pid = fork();
|
pid = fork();
|
||||||
__restore_sigs(&set);
|
__restore_sigs(&set);
|
||||||
if (pid < 0) {
|
if (pid < 0) {
|
||||||
close(p[0]);
|
close(p[0]);
|
||||||
close(p[1]);
|
close(p[1]);
|
||||||
return WRDE_NOSPACE;
|
goto nospace;
|
||||||
}
|
}
|
||||||
if (!pid) {
|
if (!pid) {
|
||||||
dup2(p[1], 1);
|
dup2(p[1], 1);
|
||||||
|
|
@ -113,7 +113,7 @@ static int do_wordexp(const char *s, wordexp_t *we, int flags)
|
||||||
close(p[0]);
|
close(p[0]);
|
||||||
kill(pid, SIGKILL);
|
kill(pid, SIGKILL);
|
||||||
waitpid(pid, &status, 0);
|
waitpid(pid, &status, 0);
|
||||||
return WRDE_NOSPACE;
|
goto nospace;
|
||||||
}
|
}
|
||||||
|
|
||||||
l = wv ? i+1 : 0;
|
l = wv ? i+1 : 0;
|
||||||
|
|
@ -142,14 +142,24 @@ static int do_wordexp(const char *s, wordexp_t *we, int flags)
|
||||||
while ((waitpid(pid, &status, 0) < 0 && errno == EINTR)
|
while ((waitpid(pid, &status, 0) < 0 && errno == EINTR)
|
||||||
|| !WIFEXITED(status));
|
|| !WIFEXITED(status));
|
||||||
|
|
||||||
|
if (!wv) wv = calloc(i+1, sizeof *wv);
|
||||||
|
|
||||||
we->we_wordv = wv;
|
we->we_wordv = wv;
|
||||||
we->we_wordc = i;
|
we->we_wordc = i;
|
||||||
|
|
||||||
for (i=we->we_offs; i; i--)
|
if (flags & WRDE_DOOFFS) {
|
||||||
we->we_wordv[i-1] = 0;
|
if (wv) for (i=we->we_offs; i; i--)
|
||||||
|
we->we_wordv[i-1] = 0;
|
||||||
if (flags & WRDE_DOOFFS) we->we_wordc -= we->we_offs;
|
we->we_wordc -= we->we_offs;
|
||||||
|
}
|
||||||
return err;
|
return err;
|
||||||
|
|
||||||
|
nospace:
|
||||||
|
if (!(flags & WRDE_APPEND)) {
|
||||||
|
we->we_wordc = 0;
|
||||||
|
we->we_wordv = 0;
|
||||||
|
}
|
||||||
|
return WRDE_NOSPACE;
|
||||||
}
|
}
|
||||||
|
|
||||||
int wordexp(const char *restrict s, wordexp_t *restrict we, int flags)
|
int wordexp(const char *restrict s, wordexp_t *restrict we, int flags)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue