mirror of
git://git.code.sf.net/p/cdesktopenv/code
synced 2025-02-13 19:52:20 +00:00
lex.c: Fix buffer overflow in debug sh_lex and sh_syntax (#262)
fmttoken() needs a minimal char[4] token buffer passed to it. Originally reported by: Jakub Wilk <jwilk@jwilk.net> Original bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879464 The following code lines from fmttoken() yield a n=3 for SYMSEMI as n=1 from the start, e.g. 'for <>;'. case SYMSEMI: if(tok[0]=='<') tok[n++] = '>'; sym = ';'; break; default: sym = 0; } tok[n++] = sym; } tok[n] = 0; n[0]='<' n[1]='>' n[2]=';' n[3]=0 # <-- BUFFER overflow as the passed character buffers have a size of 3 src/cmd/ksh93/sh/lex.c: - DBUG: sh_lex(): Adjust char tokstr[3] to char tokstr[4] - sh_syntax(): Adjust char tokbuf[3] to char tokbuf[4]
This commit is contained in:
hyenias
GitHub
parent
a065558291
commit
3255aed2c4
1 changed files with 2 additions and 2 deletions
|
|
@ -289,7 +289,7 @@ int sh_lex(Lex_t *lp)
|
||||||
Shell_t *shp = lp->sh;
|
Shell_t *shp = lp->sh;
|
||||||
register int flag;
|
register int flag;
|
||||||
char *quoted, *macro, *split, *expand;
|
char *quoted, *macro, *split, *expand;
|
||||||
char tokstr[3];
|
char tokstr[4];
|
||||||
register int tok = lextoken(lp);
|
register int tok = lextoken(lp);
|
||||||
quoted = macro = split = expand = "";
|
quoted = macro = split = expand = "";
|
||||||
if(tok==0 && (flag=lp->arg->argflag))
|
if(tok==0 && (flag=lp->arg->argflag))
|
||||||
|
|
@ -2108,7 +2108,7 @@ noreturn void sh_syntax(Lex_t *lp)
|
||||||
register const char *cp = sh_translate(e_unexpected);
|
register const char *cp = sh_translate(e_unexpected);
|
||||||
register char *tokstr;
|
register char *tokstr;
|
||||||
register int tok = lp->token;
|
register int tok = lp->token;
|
||||||
char tokbuf[3];
|
char tokbuf[4];
|
||||||
Sfio_t *sp;
|
Sfio_t *sp;
|
||||||
if((tok==EOFSYM) && lp->lasttok)
|
if((tok==EOFSYM) && lp->lasttok)
|
||||||
{
|
{
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue