blob: a8c13e4a572d1deb140ab41d4df4596e0ff20bd6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
From 3e83699ce23400d75c7ddaa7ebfdec015177caa7 Mon Sep 17 00:00:00 2001
From: Karsten Sperling <ksperling@apple.com>
Date: Thu, 18 May 2023 16:47:49 +0200
Subject: [PATCH] ash: use-after-free in bash pattern substitution
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Commit daa66ed6 fixed a number of use-after-free bugs in bash pattern
substitution, however one "unguarded" STPUTC remained, which is fixed here.
function old new delta
subevalvar 1564 1576 +12
Signed-off-by: Karsten Sperling <ksperling@apple.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Sören Tempel <soeren+git@soeren-tempel.net>
---
shell/ash.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/shell/ash.c b/shell/ash.c
index d2c5c5d50..51b627fcc 100644
--- a/shell/ash.c
+++ b/shell/ash.c
@@ -7370,6 +7370,8 @@ subevalvar(char *start, char *str, int strloc,
char *restart_detect = stackblock();
if (quotes && *loc == '\\') {
STPUTC(CTLESC, expdest);
+ if (stackblock() != restart_detect)
+ goto restart;
len++;
}
STPUTC(*loc, expdest);
|
