From ba752034c069b1eaec97d00e80ede0001cf0e3f6 Mon Sep 17 00:00:00 2001 From: Martijn Dekker Date: Fri, 18 Sep 2020 06:43:20 +0200 Subject: [PATCH] Fix crash in .paths file handling When compiling ksh with '-O0 -g -D_std_malloc' on my Mac, the paths.sh regress test set crashed. This is the test that crashed: print 'FPATH=../fun' > bin/.paths cat <<- \EOF > fun/myfun function myfun { print myfun } EOF x=$(FPATH= PATH=$PWD/bin $SHELL -c ': $(whence less);myfun') 2> /dev/null [[ $x == myfun ]] || err_exit 'function myfun not found' The crash occurred on the second-to-last line. The backtrace suggests an invalid use of strcpy() with overlapping memory: 0 libsystem_kernel.dylib __pthread_kill + 10 1 libsystem_pthread.dylib pthread_kill + 284 2 libsystem_c.dylib abort + 127 3 libsystem_c.dylib abort_report_np + 177 4 libsystem_c.dylib __chk_fail + 48 5 libsystem_c.dylib __chk_fail_overlap + 16 6 libsystem_c.dylib __chk_overlap + 34 7 libsystem_c.dylib __strcpy_chk + 64 8 ksh path_chkpaths + 1038 (path.c:1534) 9 ksh path_addcomp + 1032 (path.c:1481) 10 ksh path_addpath + 395 (path.c:1598) 11 ksh put_restricted + 626 (init.c:329) [...] src/cmd/ksh93/sh/path.c: path_chkpaths(): - When reading the '.paths' file, use memmove(3) instead of strcpy(3) as the former does a non-destructive copy with tolerance for overlap. --- src/cmd/ksh93/sh/path.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cmd/ksh93/sh/path.c b/src/cmd/ksh93/sh/path.c index 5fef2b119..ab8c85927 100644 --- a/src/cmd/ksh93/sh/path.c +++ b/src/cmd/ksh93/sh/path.c @@ -1531,7 +1531,7 @@ static int path_chkpaths(Shell_t *shp,Pathcomp_t *first, Pathcomp_t* old,Pathcom { char *ptr = stakptr(offset+pp->len+1); if(ep) - strcpy(ptr,ep); + memmove(ptr,ep,strlen(ep)+1); path_addcomp(shp,first,old,stakptr(offset),PATH_FPATH|PATH_BFPATH); } }