[PATCH] shell: avoid segfault on ${0::0/0~09J}. Closes 15216
Denys Vlasenko
vda.linux at googlemail.com
Mon Jun 12 15:54:11 UTC 2023
Sorry for missing your fix for so long.
I would like to avoid having numstack[] too large,
so I'm adding some code to bail out early if we see
a number immediately followed by a number or a name,
which is never valid.
Thus, the current allocation will not be overflowed.
Please try current git.
On Thu, Dec 29, 2022 at 2:53 PM Ron Yorston <rmy at pobox.com> wrote:
>
> Both ash and hush segfault when asked to evaluate ${0::0/0~09J}.
>
> The stack for integer values in the arithmetic code was too small:
> '09J' results in three integers. The leading zero starts an octal
> number but '9' isn't an octal digit so '0', '9' and the variable
> 'Z' are placed on the stack.
>
> Signed-off-by: Ron Yorston <rmy at pobox.com>
> ---
> shell/math.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/shell/math.c b/shell/math.c
> index 76d22c9bd..83ef85c0c 100644
> --- a/shell/math.c
> +++ b/shell/math.c
> @@ -588,7 +588,8 @@ evaluate_string(arith_state_t *math_state, const char *expr)
> /* The proof that there can be no more than strlen(startbuf)/2+1
> * integers in any given correct or incorrect expression
> * is left as an exercise to the reader. */
> - var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
> + /* Counterexample: 09J results in three integers. */
> + var_or_num_t *const numstack = alloca((expr_len - 2) * sizeof(numstack[0]));
> var_or_num_t *numstackptr = numstack;
> /* Stack of operator tokens */
> operator *const stack = alloca(expr_len * sizeof(stack[0]));
> --
> 2.38.1
>
> _______________________________________________
> busybox mailing list
> busybox at busybox.net
> http://lists.busybox.net/mailman/listinfo/busybox
More information about the busybox
mailing list