backquote expansion bug in /bin/sh ( fix included )

Andrew Atrens atrens at nortelnetworks.com
Thu Feb 5 07:56:42 PST 2004


On February 4, 2004 06:55 pm, Simon 'corecode' Schubert wrote:
> On 04.02.2004, at 21:42, Andrew Atrens wrote:
> > Here's a patch to sh, which fixes this -
> >
> >
> > "/usr/bin/cvs" -z3 -Q diff -N -b -B -kk  -r 1.3 -r 1.3.2.1 "expand.c"
> > Index: expand.c
> > ===================================================================
> > RCS file: /usr/dfly/repo/src/bin/sh/expand.c,v
> > retrieving revision 1.3
> > retrieving revision 1.3.2.1
> > diff -b -B -r1.3 -r1.3.2.1
> > 472c472
> > <       for (p--; lastc == '\n'; lastc = *--p)
> > ---
> >
> >>       for ( ; *(dest-1) == '\n' ; )
>
> It lacks some bounds checking. Under sucky circumstances both old and
> new version will eat back up the stack...
>

Right. In the degenerate case where the bytes immediately preceeding expdest 
in the heap (or data seg. iff you're in the root element of the command 
stack) are == '\n' you'll walk back further than you thought. Though this is 
highly unlikely, it's best to be safe :) :) ...

I used this -

        for ( ; (dest - stackblock()) > startloc && *(dest-1) == '\n' ; )


Seems to be working. Just compiled and installed the new version and am 
rebuilding world now. 


> How about (didn't try tho):
>
> while (*(dest - 1) == '\n' && dest - stackblock() > startloc)
>
>
> cheers
>    simon
Attachment:
pgp00003.pgp
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pgp00003.pgp
Type: application/octet-stream
Size: 187 bytes
Desc: "Description: signature"
URL: <http://lists.dragonflybsd.org/pipermail/bugs/attachments/20040205/5bb35a30/attachment-0022.obj>


More information about the Bugs mailing list