backquote expansion bug in /bin/sh ( fix included )
atrens at nortelnetworks.com
Thu Feb 5 07:56:42 PST 2004
On February 4, 2004 06:55 pm, Simon 'corecode' Schubert wrote:
> On 04.02.2004, at 21:42, Andrew Atrens wrote:
> > Here's a patch to sh, which fixes this -
> > "/usr/bin/cvs" -z3 -Q diff -N -b -B -kk -r 1.3 -r 22.214.171.124 "expand.c"
> > Index: expand.c
> > ===================================================================
> > RCS file: /usr/dfly/repo/src/bin/sh/expand.c,v
> > retrieving revision 1.3
> > retrieving revision 126.96.36.199
> > diff -b -B -r1.3 -r188.8.131.52
> > 472c472
> > < for (p--; lastc == '\n'; lastc = *--p)
> > ---
> >> for ( ; *(dest-1) == '\n' ; )
> It lacks some bounds checking. Under sucky circumstances both old and
> new version will eat back up the stack...
Right. In the degenerate case where the bytes immediately preceeding expdest
in the heap (or data seg. iff you're in the root element of the command
stack) are == '\n' you'll walk back further than you thought. Though this is
highly unlikely, it's best to be safe :) :) ...
I used this -
for ( ; (dest - stackblock()) > startloc && *(dest-1) == '\n' ; )
Seems to be working. Just compiled and installed the new version and am
rebuilding world now.
> How about (didn't try tho):
> while (*(dest - 1) == '\n' && dest - stackblock() > startloc)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: "Description: signature"
More information about the Bugs