CVE-2021-35942: glibc wordexp() integer overflow in w_addword via we_offs

CVE-2021-35942: The wordexp() function in glibc (through 2.33) has an integer overflow in w_addword() in posix/wordexp.c. The size calculation num_p = 2 + pwordexp->we_wordc + pwordexp->we_offs (line 160) overflows when the caller supplies a large we_offs value (e.g. SIZE_MAX) via the WRDE_DOOFFS flag. The resulting undersized realloc (e.g. 8 bytes) is followed by an out-of-bounds write at index we_offs + we_wordc (e.g. SIZE_MAX), causing heap corruption or an arbitrary write primitive. The initial calloc at line 2232 (calloc(1 + we_offs, sizeof(char*))) also overflows: with we_offs=SIZE_MAX, 1+SIZE_MAX=0, so calloc(0,8) returns a minimal allocation in glibc, allowing code to proceed to the OOB write. parse_param() (line 1174) is in the call path to w_addword() via $@ / $* expansion (line 1470), so the NVD description cites parse_param as the crash site.