external/cde
1
0
Fork 0
mirror of git://git.code.sf.net/p/cdesktopenv/code synced 2025-03-09 15:50:02 +00:00
Code Issues Releases Wiki Activity

nv_newattr(): Fix out-of-bounds read (re: bdb99741)

Browse source 
When converting from -Z to another attribute, if the value of the
-Z variable was empty (so -Z0 and an empty value), the loop that
skips initial zeros may read before the beginning of the buffer:

2968:	if(nv_isattr(np,NV_ZFILL))
2969:	{
2970:		while(*sp=='0') sp++;	/* skip initial zeros */
2971:		if(!*sp) sp--;		/* if number was 0, leave one zero */
2972:	}

If the *sp value is empty (just a terminating zero byte), line 2970
does nothing, but line 2971 still decrases the pointer, to before
the beginning of the buffer.

The fix is to check for an initial zero before running that block.

Reproducer (fails intermittently, depending on garbage before *sp):

    typeset -Z foo=
    typeset -i foo
This commit is contained in:
Martijn Dekker 2022-07-31 04:02:03 +02:00
parent 2cd1c2e7ad
commit 38acc02e78
3 changed files with 10 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/cmd/ksh93/include/version.h
View file

@ -17,8 +17,8 @@
#include <releaseflags.h>
#define SH_RELEASE_FORK "93u+m" /* only change if you develop a new ksh93 fork */
#define SH_RELEASE_SVER "1.0.0-rc.4" /* semantic version number: https://semver.org */
#define SH_RELEASE_DATE "2022-07-28" /* must be in this format for $((.sh.version)) */
#define SH_RELEASE_SVER "1.0.0-rc.5" /* semantic version number: https://semver.org */
#define SH_RELEASE_DATE "2022-07-31" /* must be in this format for $((.sh.version)) */
#define SH_RELEASE_CPYR "(c) 2020-2022 Contributors to ksh " SH_RELEASE_FORK
/* Scripts sometimes field-split ${.sh.version}, so don't change amount of whitespace. */

2
src/cmd/ksh93/sh/name.c
View file

@ -2965,7 +2965,7 @@ void nv_newattr (register Namval_t *np, unsigned newatts, int size)
np->nvflag = oldatts;
if (sp = nv_getval(np))
{
if(nv_isattr(np,NV_ZFILL))
if(nv_isattr(np,NV_ZFILL) && *sp=='0')
{
while(*sp=='0') sp++; /* skip initial zeros */
if(!*sp) sp--; /* if number was 0, leave one zero */

7
src/cmd/ksh93/tests/attributes.sh
View file

@ -822,5 +822,12 @@ got=$(typeset -F5 num; num=3.25+4.5 eval 'typeset -p num')
[[ $got == "$exp" ]] || err_exit 'assignment preceding special built-in command call does not honour pre-set attributes' \
"(expected $(printf %q "$exp"), got $(printf %q "$got"))"
# ======
unset foo
(
typeset -Z foo=
typeset -i foo
) || err_exit 'failed to convert from -Z to -i'
# ======
exit $((Errors<125?Errors:125))