From 59375c2b7949791d8cad8e5cebde2649bac83ec8 Mon Sep 17 00:00:00 2001
From: Simon Ruderich <simon@ruderich.org>
Date: Thu, 13 Jun 2013 22:08:08 +0200
Subject: [PATCH] Fix possible memory overwrite in init_from_environment().

It was possible for a user to overwrite memory at a relative location
with 1 by passing a negative file descriptor.
---
 src/trackfds.h                           |  5 ++-
 tests/Makefile.am                        |  5 ++-
 tests/example_environment.expected       |  1 +
 tests/example_environment_empty.expected |  9 +++++
 tests/lib.sh                             | 27 ++++++++++----
 tests/test_environment.sh                | 46 ++++++++++++++++++++++++
 6 files changed, 84 insertions(+), 9 deletions(-)
 create mode 120000 tests/example_environment.expected
 create mode 100644 tests/example_environment_empty.expected
 create mode 100755 tests/test_environment.sh

diff --git a/src/trackfds.h b/src/trackfds.h
index 00b3b6e..70751d7 100644
--- a/src/trackfds.h
+++ b/src/trackfds.h
@@ -135,7 +135,10 @@ static void init_from_environment(void) {
         *x = 0;
 
         int fd = atoi(last);
-        if (fd < TRACKFDS_STATIC_COUNT) {
+        if (fd < 0) {
+            goto next;
+
+        } else if (fd < TRACKFDS_STATIC_COUNT) {
             tracked_fds[fd] = 1;
         } else {
             if (!tracked_fds_list) {
diff --git a/tests/Makefile.am b/tests/Makefile.am
index a42be23..2a3749f 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -1,4 +1,5 @@
-TESTS = test_example.sh \
+TESTS = test_environment.sh \
+        test_example.sh \
         test_exec.sh \
         test_noforce.sh \
         test_redirects.sh \
@@ -21,6 +22,8 @@ endif
 
 dist_check_SCRIPTS = $(TESTS) lib.sh
 dist_check_DATA = example.expected \
+                  example_environment.expected \
+                  example_environment_empty.expected \
                   example_error.expected \
                   example_exec.expected \
                   example_noforce.sh \
diff --git a/tests/example_environment.expected b/tests/example_environment.expected
new file mode 120000
index 0000000..60fcce2
--- /dev/null
+++ b/tests/example_environment.expected
@@ -0,0 +1 @@
+example.expected
\ No newline at end of file
diff --git a/tests/example_environment_empty.expected b/tests/example_environment_empty.expected
new file mode 100644
index 0000000..2a7f5a1
--- /dev/null
+++ b/tests/example_environment_empty.expected
@@ -0,0 +1,9 @@
+write to stderr: 1
+write to stdout
+error!: Success
+write to stderr 2write to stdout 2
+
+more on stderr
+stderr ...
+more on stdout
+x
diff --git a/tests/lib.sh b/tests/lib.sh
index b1c8bc0..27653f7 100644
--- a/tests/lib.sh
+++ b/tests/lib.sh
@@ -40,6 +40,9 @@ fi
 LC_ALL=C
 unset LANGUAGE
 
+# Set default COLORED_STDERR_FDS value.
+fds=2,
+
 
 die() {
     echo "$@" >&2
@@ -75,7 +78,7 @@ run_test() {
     (
         # Standard setup.
         LD_PRELOAD="$library"
-        COLORED_STDERR_FDS=2,
+        COLORED_STDERR_FDS="$fds"
         export LD_PRELOAD
         export COLORED_STDERR_FDS
 
@@ -101,17 +104,27 @@ run_test() {
 
 test_script() {
     testcase="$1"
-    shift
-    run_test "$srcdir/$testcase" "$srcdir/$testcase.expected" "$@"
+    expected="$2"
+    shift; shift || true
+
+    if test -z "$expected"; then
+        expected="$testcase"
+    fi
+    run_test "$srcdir/$testcase" "$srcdir/$expected.expected" "$@"
 }
 test_script_subshell() {
-    test_script "$1" bash -c 'bash $1' ''
+    test_script "$1" "$2" bash -c 'bash $1' ''
 }
 test_program() {
     testcase="$1"
-    shift
-    run_test "$builddir/$testcase" "$srcdir/$testcase.expected" "$@"
+    expected="$2"
+    shift; shift || true
+
+    if test -z "$expected"; then
+        expected="$testcase"
+    fi
+    run_test "$builddir/$testcase" "$srcdir/$expected.expected" "$@"
 }
 test_program_subshell() {
-    test_program "$1" sh -c '$1' ''
+    test_program "$1" "$2" sh -c '$1' ''
 }
diff --git a/tests/test_environment.sh b/tests/test_environment.sh
new file mode 100755
index 0000000..a530718
--- /dev/null
+++ b/tests/test_environment.sh
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# Copyright (C) 2013  Simon Ruderich
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+test "x$srcdir" = x && srcdir=.
+. "$srcdir/lib.sh"
+
+# Test unexpected values for COLORED_STDERR_FDS environment variable.
+
+# Empty fields.
+fds=
+test_program          example example_environment_empty
+test_program_subshell example example_environment_empty
+fds=,,,
+test_program          example example_environment_empty
+test_program_subshell example example_environment_empty
+fds=,,,2
+test_program          example example_environment_empty
+test_program_subshell example example_environment_empty
+fds=2,,,
+test_program          example example_environment
+test_program_subshell example example_environment
+
+# Invalid fds.
+fds=-20,-30
+test_program          example example_environment_empty
+test_program_subshell example example_environment_empty
+fds=-20,-30,2,
+test_program          example example_environment
+test_program_subshell example example_environment
+fds=-20,-30,2,-1,
+test_program          example example_environment
+test_program_subshell example example_environment
-- 
2.43.2