ash: fix use-after-free in bash pattern substitution

function                                             old     new   delta
subevalvar                                          1566    1564      -2

Signed-off-by: Sören Tempel <soeren@soeren-tempel.net>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Sören Tempel 2022-08-02 18:23:32 +02:00 committed by Denys Vlasenko
parent 84b89b4c22
commit 7c2a3bdde0

View File

@ -7357,6 +7357,13 @@ subevalvar(char *start, char *str, int strloc,
idx = loc; idx = loc;
} }
/* The STPUTC invocations above may resize and move the
* stack via realloc(3). Since repl is a pointer into the
* stack, we need to reconstruct it relative to stackblock().
*/
if (slash_pos >= 0)
repl = (char *)stackblock() + strloc + slash_pos + 1;
//bb_error_msg("repl:'%s'", repl); //bb_error_msg("repl:'%s'", repl);
for (loc = (char*)repl; *loc; loc++) { for (loc = (char*)repl; *loc; loc++) {
char *restart_detect = stackblock(); char *restart_detect = stackblock();