backquote expansion bug in /bin/sh ( fix included )

Simon 'corecode' Schubert corecode at fs.ei.tum.de
Thu Feb 5 01:28:49 PST 2004


On 05.02.2004, at 02:35, Vincent Labrecque wrote:
"/usr/bin/cvs" -z3 -Q diff -N -b -B -kk  -r 1.3 -r 1.3.2.1 "expand.c"
Index: expand.c
===================================================================
RCS file: /usr/dfly/repo/src/bin/sh/expand.c,v
retrieving revision 1.3
retrieving revision 1.3.2.1
diff -b -B -r1.3 -r1.3.2.1
472c472
<       for (p--; lastc == '\n'; lastc = *--p)
---
      for ( ; *(dest-1) == '\n' ; )
It lacks some bounds checking. Under sucky circumstances both old and
new version will eat back up the stack...
How about (didn't try tho):

while (*(dest - 1) == '\n' && dest - stackblock() > startloc)
 Hm, i'd put the bound checking _before_ the *(dest-1) access, 
otherwise
it's a bit useless.
True, true... I somehow thought this way round would be better, but 
don't ask me how I came to this conclusion... Late night logic :)

cheers
  simon
--
/"\   http://corecode.ath.cx/#donate
\ /
 \     ASCII Ribbon Campaign
/ \  Against HTML Mail and News
Attachment:
PGP.sig
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgp00001.pgp
Type: application/octet-stream
Size: 186 bytes
Desc: "Description: This is a digitally signed message part"
URL: <http://lists.dragonflybsd.org/pipermail/bugs/attachments/20040205/b027751d/attachment-0022.obj>


More information about the Bugs mailing list