[PATCH] shell: avoid segfault on ${0::0/0~09J}. Closes 15216

Denys Vlasenko vda.linux at googlemail.com
Mon Jun 12 15:54:11 UTC 2023


Sorry for missing your fix for so long.

I would like to avoid having numstack[] too large,
so I'm adding some code to bail out early if we see
a number immediately followed by a number or a name,
which is never valid.

Thus, the current allocation will not be overflowed.

Please try current git.

On Thu, Dec 29, 2022 at 2:53 PM Ron Yorston <rmy at pobox.com> wrote:
>
> Both ash and hush segfault when asked to evaluate ${0::0/0~09J}.
>
> The stack for integer values in the arithmetic code was too small:
> '09J' results in three integers.  The leading zero starts an octal
> number but '9' isn't an octal digit so '0', '9' and the variable
> 'Z' are placed on the stack.
>
> Signed-off-by: Ron Yorston <rmy at pobox.com>
> ---
>  shell/math.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/shell/math.c b/shell/math.c
> index 76d22c9bd..83ef85c0c 100644
> --- a/shell/math.c
> +++ b/shell/math.c
> @@ -588,7 +588,8 @@ evaluate_string(arith_state_t *math_state, const char *expr)
>         /* The proof that there can be no more than strlen(startbuf)/2+1
>          * integers in any given correct or incorrect expression
>          * is left as an exercise to the reader. */
> -       var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
> +       /* Counterexample: 09J results in three integers. */
> +       var_or_num_t *const numstack = alloca((expr_len - 2) * sizeof(numstack[0]));
>         var_or_num_t *numstackptr = numstack;
>         /* Stack of operator tokens */
>         operator *const stack = alloca(expr_len * sizeof(stack[0]));
> --
> 2.38.1
>
> _______________________________________________
> busybox mailing list
> busybox at busybox.net
> http://lists.busybox.net/mailman/listinfo/busybox


More information about the busybox mailing list