ash: fix use-after-free in pattern substituon code
Patch by soeren@soeren-tempel.net The idx variable points to a value in the stack string (as managed by STPUTC). STPUTC may resize this stack string via realloc(3). If this happens, the idx pointer needs to be updated. Otherwise, dereferencing idx may result in a use-after free. function old new delta subevalvar 1562 1566 +4 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
parent
1c54552842
commit
daa66ed62c
@ -7324,13 +7324,15 @@ subevalvar(char *start, char *str, int strloc,
|
||||
if (idx >= end)
|
||||
break;
|
||||
STPUTC(*idx, expdest);
|
||||
if (stackblock() != restart_detect)
|
||||
goto restart;
|
||||
if (quotes && (unsigned char)*idx == CTLESC) {
|
||||
idx++;
|
||||
len++;
|
||||
STPUTC(*idx, expdest);
|
||||
}
|
||||
if (stackblock() != restart_detect)
|
||||
goto restart;
|
||||
}
|
||||
idx++;
|
||||
len++;
|
||||
rmesc++;
|
||||
|
Loading…
Reference in New Issue
Block a user