Fix crash on trying a very long nonexistent command

Reproducer from @Saikiran-m: | ~# sh -c `perl -e 'print "a"x100000'` | genunix: NOTICE: core_log: sh[1221] core dumped: /var/cores/core.sh.0.1602153496 | Memory fault(coredump) The crash was in trying to decide whether the name was suitable for autoloading as a function on $FPATH. This calls strmatch() to check the name against a regex for valid function name. But the libast regex code is not designed optimally and uses too much recursion, limiting the length of the strings it's able to cope with. src/cmd/ksh93/sh/path.c: path_search(): - Before calling strmatch(), check that the name is shorter than 256 bytes. The maximum length of file names on Linux and macOS is 255 bytes, so an autoload function can't have a name longer than that anyway. src/cmd/ksh93/tests/path.sh: - Add test for this bug. - Tweak 'command -x' test to not leave a hanging process on Ctrl+C. Fixes: https://github.com/ksh93/ksh/issues/144
2025-03-09 15:50:02 +00:00 · 2021-02-04 04:34:01 +00:00 · 2021-02-04 04:34:01 +00:00 · 6f3b23e6f4
commit 6f3b23e6f4
parent 32cff97b24
2 changed files with 10 additions and 2 deletions
--- a/src/cmd/ksh93/sh/path.c
+++ b/src/cmd/ksh93/sh/path.c
@ -720,7 +720,7 @@ int	path_search(Shell_t *shp,register const char *name,Pathcomp_t **oldpp, int f
 	{
 		if(!pp)
 			pp=sh_isstate(SH_DEFPATH)?shp->defpathlist:shp->pathlist;
-		if(pp && strmatch(name,e_alphanum)  && (fno=path_opentype(shp,name,pp,1))>=0)
+		if(pp && strlen(name)<256 && strmatch(name,e_alphanum) && (fno=path_opentype(shp,name,pp,1))>=0)
 		{
 			if(flag >= 2)
 			{