[git commit] awk: Guard pointer chasing when parsing ternary expressions.

Denys Vlasenko vda.linux at googlemail.com
Mon Jan 21 11:55:49 UTC 2019


commit: https://git.busybox.net/busybox/commit/?id=dac15a10accc6921d1559d254ceed9fe9d092ddf
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master

Avoids an uninit pointer deref for some malformed ternary exprs.

Add a test that would crash in busybox before this fix.

Signed-off-by: Brian Foley <bpfoley at google.com>
Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
 editors/awk.c       | 3 ++-
 testsuite/awk.tests | 3 +++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/editors/awk.c b/editors/awk.c
index b6d8cf203..f2b8b13eb 100644
--- a/editors/awk.c
+++ b/editors/awk.c
@@ -1265,7 +1265,7 @@ static node *parse_expr(uint32_t iexp)
 	debug_printf_parse("%s(%x)\n", __func__, iexp);
 
 	sn.info = PRIMASK;
-	sn.r.n = glptr = NULL;
+	sn.r.n = sn.a.n = glptr = NULL;
 	xtc = TC_OPERAND | TC_UOPPRE | TC_REGEXP | iexp;
 
 	while (!((tc = next_token(xtc)) & iexp)) {
@@ -1287,6 +1287,7 @@ static node *parse_expr(uint32_t iexp)
 			    || ((t_info == vn->info) && ((t_info & OPCLSMASK) == OC_COLON))
 			) {
 				vn = vn->a.n;
+				if (!vn->a.n) syntax_error(EMSG_UNEXP_TOKEN);
 			}
 			if ((t_info & OPCLSMASK) == OC_TERNARY)
 				t_info += P(6);
diff --git a/testsuite/awk.tests b/testsuite/awk.tests
index 3933fefc9..9f353fc10 100755
--- a/testsuite/awk.tests
+++ b/testsuite/awk.tests
@@ -338,6 +338,9 @@ testing "awk continue" \
 testing "awk handles invalid for loop" \
     "awk '{ for() }' 2>&1" "awk: cmd. line:1: Unexpected token\n" "" ""
 
+testing "awk handles colon not preceded by ternary" \
+    "awk 'foo:bar:' 2>&1" "awk: cmd. line:1: Unexpected token\n" "" ""
+
 # testing "description" "command" "result" "infile" "stdin"
 testing 'awk negative field access' \
 	'awk 2>&1 -- '\''{ $(-1) }'\' \


More information about the busybox-cvs mailing list