external/cde
1
0
Fork 0
mirror of git://git.code.sf.net/p/cdesktopenv/code synced 2025-03-09 15:50:02 +00:00
Code Issues Releases Wiki Activity

Fix ASan heap-buffer-overflow when handling syntax errors (#402)

Browse source 
This commit backports a bugfix from ksh2020 to fix an ASan
heap-buffer-overflow error in one of the regression tests. See:
c57f7398
https://github.com/att/ast/issues/1261

This explanation comes from the linked issue:
> The poplevel() in this block of code is called when lp->lexd.lex_max
> is zero:
> bd94eb56/src/cmd/ksh93/sh/lex.c (L921-L925)
> Since poplevel() first decrements lp->lexd.lex_max then uses it as
> an index into lp->lexd.lex_match this causes the word before the
> start of that buffer to be accessed. The buffer is allocated here:
> bd94eb56/src/cmd/ksh93/sh/lex.c (L2210-L2218)

src/cmd/ksh93/sh/lex.c:
- Avoid calling poplevel() twice when handling syntax errors.
This commit is contained in:
Johnothan King 2021-12-28 08:59:30 -08:00 committed by Martijn Dekker
parent de795e1f9d
commit b425196958
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/cmd/ksh93/sh/lex.c
View file

@ -924,10 +924,10 @@ int sh_lex(Lex_t* lp)
if(c=='*' || (n=sh_lexstates[ST_BRACE][c])!=S_MOD1 && n!=S_MOD2)
{
/* see whether inside `...` */
mode = oldmode(lp);
poplevel(lp);
if((n = endchar(lp)) != '`')
goto err;
mode = oldmode(lp);
poplevel(lp);
pushlevel(lp,RBRACE,mode);
}
else