From: Andreas Schwab <schwab@linux-m68k.org>
Date: Fri, 25 Jun 2021 13:02:47 +0000 (+0200)
Subject: [PATCH] wordexp: handle overflow in positional parameter number (bug 28011)
X-Git-Tag: archive/raspbian/2.28-10+rpi1+deb10u4^2~10
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=47342f564a827598164ce24a8d39374af9eebacd;p=glibc.git

[PATCH] wordexp: handle overflow in positional parameter number (bug 28011)

Use strtoul instead of atoi so that overflow can be detected.


Gbp-Pq: Topic all
Gbp-Pq: Name git-CVE-2021-35942-wordexp-handle-overflow-in-positional-parameter-numb.diff
---

diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
index cc2984035..30c1dd65e 100644
--- a/posix/wordexp-test.c
+++ b/posix/wordexp-test.c
@@ -200,6 +200,7 @@ struct test_case_struct
     { 0, NULL, "$var", 0, 0, { NULL, }, IFS },
     { 0, NULL, "\"\\n\"", 0, 1, { "\\n", }, IFS },
     { 0, NULL, "", 0, 0, { NULL, }, IFS },
+    { 0, NULL, "${1234567890123456789012}", 0, 0, { NULL, }, IFS },
 
     /* Flags not already covered (testit() has special handling for these) */
     { 0, NULL, "one two", WRDE_DOOFFS, 2, { "one", "two", }, IFS },
diff --git a/posix/wordexp.c b/posix/wordexp.c
index 7548e0329..d43d3e29d 100644
--- a/posix/wordexp.c
+++ b/posix/wordexp.c
@@ -1419,7 +1419,7 @@ envsubst:
   /* Is it a numeric parameter? */
   else if (isdigit (env[0]))
     {
-      int n = atoi (env);
+      unsigned long n = strtoul (env, NULL, 10);
 
       if (n >= __libc_argc)
 	/* Substitute NULL. */