ash: fix use-after-free in pattern substituon code

Patch by soeren@soeren-tempel.net

The idx variable points to a value in the stack string (as managed
by STPUTC). STPUTC may resize this stack string via realloc(3). If
this happens, the idx pointer needs to be updated. Otherwise,
dereferencing idx may result in a use-after free.

function                                             old     new   delta
subevalvar                                          1562    1566      +4

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Denys Vlasenko 2022-08-02 12:41:18 +02:00
parent 1c54552842
commit daa66ed62c

View File

@ -7324,13 +7324,15 @@ subevalvar(char *start, char *str, int strloc,
if (idx >= end) if (idx >= end)
break; break;
STPUTC(*idx, expdest); STPUTC(*idx, expdest);
if (stackblock() != restart_detect)
goto restart;
if (quotes && (unsigned char)*idx == CTLESC) { if (quotes && (unsigned char)*idx == CTLESC) {
idx++; idx++;
len++; len++;
STPUTC(*idx, expdest); STPUTC(*idx, expdest);
if (stackblock() != restart_detect)
goto restart;
} }
if (stackblock() != restart_detect)
goto restart;
idx++; idx++;
len++; len++;
rmesc++; rmesc++;