diff options
| author | Sören Tempel <soeren@soeren-tempel.net> | 2022-08-02 18:23:32 +0200 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2022-08-02 18:27:41 +0200 |
| commit | 7c2a3bdde0a1316771fdd07ff03413f00383f70e (patch) | |
| tree | dd65c7c05bc5985ef21d46e76a455df13e2a0dfd /shell | |
| parent | 84b89b4c22ab7c8348d00e31d5319fad6e43defe (diff) | |
| download | busybox-w32-7c2a3bdde0a1316771fdd07ff03413f00383f70e.tar.gz busybox-w32-7c2a3bdde0a1316771fdd07ff03413f00383f70e.tar.bz2 busybox-w32-7c2a3bdde0a1316771fdd07ff03413f00383f70e.zip | |
ash: fix use-after-free in bash pattern substitution
function old new delta
subevalvar 1566 1564 -2
Signed-off-by: Sören Tempel <soeren@soeren-tempel.net>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat (limited to 'shell')
| -rw-r--r-- | shell/ash.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/shell/ash.c b/shell/ash.c index 105edd4c8..55c1034f5 100644 --- a/shell/ash.c +++ b/shell/ash.c | |||
| @@ -7357,6 +7357,13 @@ subevalvar(char *start, char *str, int strloc, | |||
| 7357 | idx = loc; | 7357 | idx = loc; |
| 7358 | } | 7358 | } |
| 7359 | 7359 | ||
| 7360 | /* The STPUTC invocations above may resize and move the | ||
| 7361 | * stack via realloc(3). Since repl is a pointer into the | ||
| 7362 | * stack, we need to reconstruct it relative to stackblock(). | ||
| 7363 | */ | ||
| 7364 | if (slash_pos >= 0) | ||
| 7365 | repl = (char *)stackblock() + strloc + slash_pos + 1; | ||
| 7366 | |||
| 7360 | //bb_error_msg("repl:'%s'", repl); | 7367 | //bb_error_msg("repl:'%s'", repl); |
| 7361 | for (loc = (char*)repl; *loc; loc++) { | 7368 | for (loc = (char*)repl; *loc; loc++) { |
| 7362 | char *restart_detect = stackblock(); | 7369 | char *restart_detect = stackblock(); |