From 8253f59eae7bdb8b5a0f5b87212671564882d1f0 Mon Sep 17 00:00:00 2001
From: Rich Felker <dalias@aerifal.cx>
Date: Fri, 22 Nov 2013 15:48:24 -0500
Subject: fix resource exhaustion and zero-word cases in wordexp

when WRDE_NOSPACE is returned, the we_wordv and we_wordc members must
be valid, because the interface contract allows them to return partial
results.

in the case of zero results (due either to resource exhaustion or a
zero-word input) the we_wordv array still should contain a terminating
null pointer and the initial we_offs null pointers. this is impossible
on resource exhaustion, so a correct application must presumably check
for a null pointer in we_wordv; POSIX however seems to ignore the
issue. the previous code may have crashed under this situation.
---
 src/misc/wordexp.c | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

(limited to 'src')

diff --git a/src/misc/wordexp.c b/src/misc/wordexp.c
index 7a358686..8f0d42f5 100644
--- a/src/misc/wordexp.c
+++ b/src/misc/wordexp.c
@@ -82,20 +82,20 @@ static int do_wordexp(const char *s, wordexp_t *we, int flags)
 	i = wc;
 	if (flags & WRDE_DOOFFS) {
 		if (we->we_offs > SIZE_MAX/sizeof(void *)/4)
-			return WRDE_NOSPACE;
+			goto nospace;
 		i += we->we_offs;
 	} else {
 		we->we_offs = 0;
 	}
 
-	if (pipe(p) < 0) return WRDE_NOSPACE;
+	if (pipe(p) < 0) goto nospace;
 	__block_all_sigs(&set);
 	pid = fork();
 	__restore_sigs(&set);
 	if (pid < 0) {
 		close(p[0]);
 		close(p[1]);
-		return WRDE_NOSPACE;
+		goto nospace;
 	}
 	if (!pid) {
 		dup2(p[1], 1);
@@ -113,7 +113,7 @@ static int do_wordexp(const char *s, wordexp_t *we, int flags)
 		close(p[0]);
 		kill(pid, SIGKILL);
 		waitpid(pid, &status, 0);
-		return WRDE_NOSPACE;
+		goto nospace;
 	}
 
 	l = wv ? i+1 : 0;
@@ -142,14 +142,24 @@ static int do_wordexp(const char *s, wordexp_t *we, int flags)
 	while ((waitpid(pid, &status, 0) < 0 && errno == EINTR)
 		|| !WIFEXITED(status));
 
+	if (!wv) wv = calloc(i+1, sizeof *wv);
+
 	we->we_wordv = wv;
 	we->we_wordc = i;
 
-	for (i=we->we_offs; i; i--)
-		we->we_wordv[i-1] = 0;
-
-	if (flags & WRDE_DOOFFS) we->we_wordc -= we->we_offs;
+	if (flags & WRDE_DOOFFS) {
+		if (wv) for (i=we->we_offs; i; i--)
+			we->we_wordv[i-1] = 0;
+		we->we_wordc -= we->we_offs;
+	}
 	return err;
+
+nospace:
+	if (!(flags & WRDE_APPEND)) {
+		we->we_wordc = 0;
+		we->we_wordv = 0;
+	}
+	return WRDE_NOSPACE;
 }
 
 int wordexp(const char *restrict s, wordexp_t *restrict we, int flags)
-- 
cgit v1.2.1