[git commit] ash: fix use-after-free in bash pattern substitution
Denys Vlasenko
vda.linux at googlemail.com
Tue Aug 2 16:27:41 UTC 2022
commit: https://git.busybox.net/busybox/commit/?id=7c2a3bdde0a1316771fdd07ff03413f00383f70e
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master
function old new delta
subevalvar 1566 1564 -2
Signed-off-by: Sören Tempel <soeren at soeren-tempel.net>
Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
shell/ash.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/shell/ash.c b/shell/ash.c
index 105edd4c8..55c1034f5 100644
--- a/shell/ash.c
+++ b/shell/ash.c
@@ -7357,6 +7357,13 @@ subevalvar(char *start, char *str, int strloc,
idx = loc;
}
+ /* The STPUTC invocations above may resize and move the
+ * stack via realloc(3). Since repl is a pointer into the
+ * stack, we need to reconstruct it relative to stackblock().
+ */
+ if (slash_pos >= 0)
+ repl = (char *)stackblock() + strloc + slash_pos + 1;
+
//bb_error_msg("repl:'%s'", repl);
for (loc = (char*)repl; *loc; loc++) {
char *restart_detect = stackblock();
More information about the busybox-cvs
mailing list