DragonFly bugs List (threaded) for 2004-02
[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]

Re: backquote expansion bug in /bin/sh ( fix included )

From:	"Simon 'corecode' Schubert" <corecode@xxxxxxxxxxxx>
Date:	Thu, 5 Feb 2004 00:55:30 +0100

On 04.02.2004, at 21:42, Andrew Atrens wrote:

Here's a patch to sh, which fixes this -


"/usr/bin/cvs" -z3 -Q diff -N -b -B -kk  -r 1.3 -r 1.3.2.1 "expand.c"
Index: expand.c
===================================================================
RCS file: /usr/dfly/repo/src/bin/sh/expand.c,v
retrieving revision 1.3
retrieving revision 1.3.2.1
diff -b -B -r1.3 -r1.3.2.1
472c472
<       for (p--; lastc == '\n'; lastc = *--p)
---

for ( ; *(dest-1) == '\n' ; )

It lacks some bounds checking. Under sucky circumstances both old and new version will eat back up the stack...

How about (didn't try tho):

while (*(dest - 1) == '\n' && dest - stackblock() > startloc)


cheers
  simon

--
/"\   http://corecode.ath.cx/#donate
\ /
 \     ASCII Ribbon Campaign
/ \  Against HTML Mail and News

Attachment: PGP.sig
Description: This is a digitally signed message part

Follow-Ups:
- Re: backquote expansion bug in /bin/sh ( fix included )
  - From: Andrew Atrens

References:
- backquote expansion bug in /bin/sh ( fix included )
  - From: Andrew Atrens

[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index][Thread Index]