external/cde
1
0
Fork 0
mirror of git://git.code.sf.net/p/cdesktopenv/code synced 2025-02-15 04:32:24 +00:00
Code Issues Releases Wiki Activity

Fix buffer overflow in sh_lex()

Browse source 
This macro expansion in lex.c may assign -1 to n if EOF is reached:

1178:	fcgetc(n);

As a result, n may be -1 when this code is reached:

1190:	if(sh_isoption(SH_BRACEEXPAND) && c==LBRACE && !assignment
	&& state[n]!=S_BREAK

'state[n]' is a buffer overflow if n==-1.

src/cmd/ksh93/sh/lex.c: sh_lex(): case S_BRACE:
- Apart from the buffer overflow, if n<=0, none of the code
  following fcget(n) does anything until 'break' on line 1199 is
  reached. So, if fcget(n) yields <=0, just break. This allows some
  code simplification.

Progresses: https://github.com/ksh93/ksh/issues/518
This commit is contained in:
Martijn Dekker 2022-08-19 18:32:50 +01:00
parent f24040ee45
commit e9fc519737
1 changed files with 3 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/cmd/ksh93/sh/lex.c
View file

@ -1175,14 +1175,12 @@ int sh_lex(Lex_t* lp)
goto do_reg; goto do_reg;
} }
isfirst = (lp->lexd.first&&fcseek(0)==lp->lexd.first+1); isfirst = (lp->lexd.first&&fcseek(0)==lp->lexd.first+1);
fcgetc(n); if(fcgetc(n)<=0)
break;
/* check for {} */ /* check for {} */
if(c==LBRACE && n==RBRACE) if(c==LBRACE && n==RBRACE)
break; break;
if(n>0) fcseek(-LEN);
fcseek(-LEN);
else if(lp->lex.reservok)
break;
/* check for reserved word { or } */ /* check for reserved word { or } */
if(lp->lex.reservok && state[n]==S_BREAK && isfirst) if(lp->lex.reservok && state[n]==S_BREAK && isfirst)
break; break;