mirror of
git://git.code.sf.net/p/cdesktopenv/code
synced 2025-03-09 15:50:02 +00:00
Fix history expansion buffer overflow (#434)
History expansion currently crashes under ASan due to a buffer
overflow. Reproducer:
$ set -H
$ !!:s/old/new/
Explanation from <https://github.com/att/ast/issues/1369>:
> The problem is the code assumes the buffer allocated for a string
> stream is zero initialized. But the SFIO code uses malloc() to
> allocate the buffer and does not explicitly initialize it with
> memset(). That it works at all, even without ASAN enabled, is
> purely accidental. It will fail if that malloc() returns a block
> that had been previously allocated, used, and freed. Under ASAN
> the buffer is initialized (at least on my system) to a sequence
> of 0xBE bytes. So the strdup() happily tries to duplicate a
> string that is the size of that buffer and fails when it reads
> past the end of the buffer looking for the terminating zero byte.
src/cmd/ksh93/edit/hexpand.c:
- Backport ksh2020 bugfix that avoids assuming the string stream
has been initialized to zeros:
cf16bcca
(minus the incorrect change to the static wm variable).
This commit is contained in:
parent
5a1ec3c9ff
commit
eaf7662daa
3 changed files with 13 additions and 3 deletions
4
NEWS
4
NEWS
|
@ -3,6 +3,10 @@ For full details, see the git log at: https://github.com/ksh93/ksh/tree/1.0
|
|||
|
||||
Any uppercase BUG_* names are modernish shell bug IDs.
|
||||
|
||||
2022-01-20:
|
||||
|
||||
- Fixed a potential crash in history expansion due to a buffer overflow.
|
||||
|
||||
2022-01-12:
|
||||
|
||||
- Added bash-inspired --histreedit and --histverify options that modify history
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
* *
|
||||
* This software is part of the ast package *
|
||||
* Copyright (c) 1982-2011 AT&T Intellectual Property *
|
||||
* Copyright (c) 2020-2021 Contributors to ksh 93u+m *
|
||||
* Copyright (c) 2020-2022 Contributors to ksh 93u+m *
|
||||
* and is licensed under the *
|
||||
* Eclipse Public License, Version 1.0 *
|
||||
* by AT&T Intellectual Property *
|
||||
|
@ -590,7 +590,13 @@ getsel:
|
|||
{
|
||||
/* preset old with match from !?string? */
|
||||
if(!sb.str[0] && wm)
|
||||
sb.str[0] = sh_strdup(sfsetbuf(wm, (void*)1, 0));
|
||||
{
|
||||
char *sbuf = sfsetbuf(wm, (void*)1, 0);
|
||||
int n = sftell(wm);
|
||||
sb.str[0] = sh_malloc(n + 1);
|
||||
sb.str[0][n] = '\0';
|
||||
memcpy(sb.str[0], sbuf, n);
|
||||
}
|
||||
cp = parse_subst(cp, &sb);
|
||||
}
|
||||
|
||||
|
|
|
@ -21,7 +21,7 @@
|
|||
|
||||
#define SH_RELEASE_FORK "93u+m" /* only change if you develop a new ksh93 fork */
|
||||
#define SH_RELEASE_SVER "1.0.0-beta.2" /* semantic version number: https://semver.org */
|
||||
#define SH_RELEASE_DATE "2022-01-12" /* must be in this format for $((.sh.version)) */
|
||||
#define SH_RELEASE_DATE "2022-01-20" /* must be in this format for $((.sh.version)) */
|
||||
#define SH_RELEASE_CPYR "(c) 2020-2022 Contributors to ksh " SH_RELEASE_FORK
|
||||
|
||||
/* Scripts sometimes field-split ${.sh.version}, so don't change amount of whitespace. */
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue