ash: don't read past end of var in subvareval for bash substitutions

Without this patch, BusyBox handles bash pattern substitutions without
a terminating '/' character incorrectly.

Consider the following shell script:

	_bootstrapver=5.0.211-r0
	_referencesdir="/usr/${_bootstrapver/-*}/Sources"
	echo $_referencesdir

This should output `/usr/5.0.211/Sources`. However, without this patch
it instead outputs `/usr/5.0.211Sources`. This is due to the fact that
BusyBox expects the bash pattern substitutions to always be terminated
with a '/' (at least in this part of subvareval) and thus reads passed
the substitution itself and consumes the '/' character which is part of
the literal string. If there is no '/' after the substitution then
BusyBox might perform an out-of-bounds read under certain circumstances.

When replacing the bash pattern substitution with `${_bootstrapver/-*/}`,
or with this patch applied, ash outputs the correct value.

Signed-off-by: Sören Tempel <soeren@soeren-tempel.net>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

shell/ash.c

@@ -7081,6 +7081,10 @@ subevalvar(char *start, char *str, int strloc,
 				*repl = '\0';
 				break;
 			}
+			if ((unsigned char)*repl == CTLENDVAR) { /* ${v/pattern} (no trailing /, no repl) */
+				repl = NULL;
+				break;
+			}
 			/* Handle escaped slashes, e.g. "${v/\//_}" (they are CTLESC'ed by this point) */
 			if ((unsigned char)*repl == CTLESC && repl[1])
 				repl++;

shell/ash_test/ash-vars/var_bash_repl_unterminated.right

@@ -0,0 +1 @@
+b/d

shell/ash_test/ash-vars/var_bash_repl_unterminated.tests

@@ -0,0 +1,2 @@
+a=b-c
+echo ${a/-*}/d

shell/hush_test/hush-vars/var_bash_repl_unterminated.right

@@ -0,0 +1 @@
+b/d

shell/hush_test/hush-vars/var_bash_repl_unterminated.tests

@@ -0,0 +1,2 @@
+a=b-c
+echo ${a/-*}/d