mirror of
git://git.code.sf.net/p/cdesktopenv/code
synced 2025-02-24 23:14:14 +00:00
bdb997415d
ksh crashed in various different and operating system-dependent
ways when attempting to create or apply justification strings
using typeset -L/-R/-Z, especially if large sizes are used.
The crashes had two immediate causes:
- In nv_newattr(), when applying justification attributes, a buffer
was allocated for the justified string that was exactly 8 bytes
longer than the original string. Any larger justification string
caused a buffer overflow (!!!).
- In nv_putval(), when applying existing attributes to a new value,
the corresponding memmove() either did not zero-terminate the
justified string (if the original string was longer than the
justified string) or could read memory past the original string
(if the original string was shorter than the justified string).
Both scenarios can cause a crash.
This commit fixes other minor issues as well, such as a mysterious
8 extra bytes allocated by several malloc/realloc calls. This may
have been some naive attempt to paper over the above bugs. It seems
no one can make any other kind of sense of it.
A readjustment bug with zero-filling was also fixed.
src/cmd/ksh93/sh/name.c:
- nv_putval():
. Get rid of the magical +8 bytes for malloc and realloc. Just
allocate one extra byte for the terminating zero.
. Fix the memmove operation to use strncpy instead, so that
buffer overflows are avoided in both scenarios described above.
Also make it conditional upon a size adjustment actually
happening (i.e. if 'dot' is nonzero).
. Mild refactoring: combine two 'if(sp)' blocks into one;
declare variables only used there locally for legibility.
- nv_newattr():
* Replace the fatally broken "let's allocate string length + 8
bytes no matter the size of the adjustment" routine with a new
one based on work by @hyenias (see comments in #142). It is
efficient with memory, taking into account numeric types,
growing strings, and shrinking strings.
* Fix zero-filling in readjustment after changing the initial
size of a -Z attribute. If the number was zero, all zeros were
still skipped, leaving an empty string.
Thanks to @hyenias for originally identifying this breakage and
laying the groundwork for fixing nv_newattr(), and to @lijog for
the crash analysis that revealed the key to the nv_putval() fix.
Resolves: https://github.com/ksh93/ksh/issues/142
Resolves: https://github.com/ksh93/ksh/issues/181
|
||
|---|---|---|
| .. | ||
| alias.sh | ||
| append.sh | ||
| arith.sh | ||
| arrays.sh | ||
| arrays2.sh | ||
| attributes.sh | ||
| basic.sh | ||
| bracket.sh | ||
| builtins.sh | ||
| case.sh | ||
| comvar.sh | ||
| comvario.sh | ||
| coprocess.sh | ||
| cubetype.sh | ||
| enum.sh | ||
| exit.sh | ||
| expand.sh | ||
| functions.sh | ||
| glob.sh | ||
| grep.sh | ||
| heredoc.sh | ||
| io.sh | ||
| jobs.sh | ||
| leaks.sh | ||
| locale.sh | ||
| math.sh | ||
| nameref.sh | ||
| namespace.sh | ||
| options.sh | ||
| path.sh | ||
| pointtype.sh | ||
| pty.sh | ||
| quoting.sh | ||
| quoting2.sh | ||
| readcsv.sh | ||
| recttype.sh | ||
| restricted.sh | ||
| return.sh | ||
| select.sh | ||
| shtests | ||
| sigchld.sh | ||
| signal.sh | ||
| statics.sh | ||
| subshell.sh | ||
| substring.sh | ||
| tilde.sh | ||
| timetype.sh | ||
| treemove.sh | ||
| types.sh | ||
| variables.sh | ||
| vartree1.sh | ||
| vartree2.sh | ||