diff options
| author | Denys Vlasenko <vda.linux@googlemail.com> | 2022-08-02 12:41:18 +0200 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2022-08-02 12:41:18 +0200 |
| commit | daa66ed62c79684219088cc0361d5b316d5d1295 (patch) | |
| tree | 45ea93d868cc86875bc4ab6998ff7a8e0e1677d0 | |
| parent | 1c5455284234e894dfb6086bf7f3e9a6d5d9611f (diff) | |
| download | busybox-w32-daa66ed62c79684219088cc0361d5b316d5d1295.tar.gz busybox-w32-daa66ed62c79684219088cc0361d5b316d5d1295.tar.bz2 busybox-w32-daa66ed62c79684219088cc0361d5b316d5d1295.zip | |
ash: fix use-after-free in pattern substituon code
Patch by soeren@soeren-tempel.net
The idx variable points to a value in the stack string (as managed
by STPUTC). STPUTC may resize this stack string via realloc(3). If
this happens, the idx pointer needs to be updated. Otherwise,
dereferencing idx may result in a use-after free.
function old new delta
subevalvar 1562 1566 +4
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
| -rw-r--r-- | shell/ash.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/shell/ash.c b/shell/ash.c index c731a333b..105edd4c8 100644 --- a/shell/ash.c +++ b/shell/ash.c | |||
| @@ -7324,13 +7324,15 @@ subevalvar(char *start, char *str, int strloc, | |||
| 7324 | if (idx >= end) | 7324 | if (idx >= end) |
| 7325 | break; | 7325 | break; |
| 7326 | STPUTC(*idx, expdest); | 7326 | STPUTC(*idx, expdest); |
| 7327 | if (stackblock() != restart_detect) | ||
| 7328 | goto restart; | ||
| 7327 | if (quotes && (unsigned char)*idx == CTLESC) { | 7329 | if (quotes && (unsigned char)*idx == CTLESC) { |
| 7328 | idx++; | 7330 | idx++; |
| 7329 | len++; | 7331 | len++; |
| 7330 | STPUTC(*idx, expdest); | 7332 | STPUTC(*idx, expdest); |
| 7333 | if (stackblock() != restart_detect) | ||
| 7334 | goto restart; | ||
| 7331 | } | 7335 | } |
| 7332 | if (stackblock() != restart_detect) | ||
| 7333 | goto restart; | ||
| 7334 | idx++; | 7336 | idx++; |
| 7335 | len++; | 7337 | len++; |
| 7336 | rmesc++; | 7338 | rmesc++; |