If strgrpmatch is called with two empty strings and an un-initialized
automatic array
downstream code can use sub[0], sub[1] with random contents.
(gdb) where
#0 strgrpmatch (b=0x1a11a0 "", p=0x1a1240 "", sub=0xbfffb4fc, n=65,
flags=2) at /tmp/ksh-15.roots/ksh-15.obj/src/lib/libast/string/
strmatch.c:96
#1 0x0003a231 in varsub (mp=0x174030) at /tmp/ksh-15.roots/ksh-15.obj/
src/cmd/ksh93/sh/macro.c:1496
#2 0x0003705e in copyto (mp=0x174030, endch=0, newquote=0) at /tmp/
ksh-15.roots/ksh-15.obj/src/cmd/ksh93/sh/macro.c:556
#3 0x000358f6 in sh_mactrim (str=0x19ee79 "rest2=\"${rest11#
$file2}\"", mode=-1) at /tmp/ksh-15.roots/ksh-15.obj/src/cmd/ksh93/sh/
macro.c:170
#4 0x0003d1f1 in nv_setlist (arg=0x19ee70, flags=131584) at /tmp/
ksh-15.roots/ksh-15.obj/src/cmd/ksh93/sh/name.c:193
#5 0x000580e3 in sh_exec (t=0x19eea0, flags=4) at /tmp/ksh-15.roots/
ksh-15.obj/src/cmd/ksh93/sh/xec.c:698
#6 0x0005a36d in sh_exec (t=0x19f450, flags=4) at /tmp/ksh-15.roots/
ksh-15.obj/src/cmd/ksh93/sh/xec.c:1317
#7 0x0000590f in b_dot_cmd (n=0, argv=0x178b54, extra=0x12a080) at /
tmp/ksh-15.roots/ksh-15.obj/src/cmd/ksh93/bltins/misc.c:286
#8 0x0005de84 in sh_funct (np=0x199fa0, argn=2, argv=0x178b54,
envlist=0x0, execflg=5) at /tmp/ksh-15.roots/ksh-15.obj/src/cmd/ksh93/
sh/xec.c:2407
#9 0x0005941f in sh_exec (t=0x178af0, flags=5) at /tmp/ksh-15.roots/
ksh-15.obj/src/cmd/ksh93/sh/xec.c:980
#10 0x0005b22d in sh_exec (t=0x178860, flags=5) at /tmp/ksh-15.roots/
ksh-15.obj/src/cmd/ksh93/sh/xec.c:1583
#11 0x000128f7 in exfile ()
#12 0x00011c17 in sh_main ()
#13 0x00001f5e in main (argc=3, argv=0xbfffee20) at /tmp/ksh-15.roots/
ksh-15.obj/src/cmd/ksh93/sh/pmain.c:46
If the stack is dirty enough varsub will crash soon after.
Fix:
--- src/lib/libast/string/strmatch.c
+++ ./src/lib/libast/string/strmatch.c
@@ -92,8 +92,13 @@ strgrpmatch(const char* b, const char* p
regcache(NiL, 0, NiL);
return 0;
}
- if (!*p)
+ if (!*p) {
+ if (sub) {
+ sub[0] = 0;
+ sub[1] = 0;
+ }
return *b == 0;
+ }
/*
* convert flags
To repro, [At least on x86 Darwin with optimized ksh]
touch example.vcf
ksh test.ksh example.vcf
#test.ksh cut down from lesspipe.sh
# lesspipe.sh, a preprocessor for less (version 1.53)
#=
=
=
=
=
=
=
========================================================================
### THIS FILE IS GENERATED FROM lesspipe.sh.in, PLEASE GET THE TAR FILE
### ftp://ftp.ifh.de/pub/unix/utility/lesspipe.tar.gz
### AND RUN configure TO GENERATE A lesspipe.sh THAT WORKS IN YOUR
ENVIRONMENT
sep=: # file name separator
show() {
file1="${1%%$sep*}"
rest1="${1#$file1}"
while [[ "$rest1" = ::* ]]; do
if [[ "$rest1" = "::" ]]; then
break
else
rest1="${rest1#$sep$sep}"
file1="${rest1%%$sep*}"
rest1="${rest1#$file1}"
file1="${1%$rest1}"
fi
done
rest11="${rest1#$sep}"
file2="${rest11%%$sep*}"
rest2="${rest11#$file2}"
while [[ "$rest2" = ::* ]]; do
if [[ "$rest2" = "::" ]]; then
break
else
rest2="${rest2#$sep$sep}"
file2="${rest2%%$sep*}"
rest2="${rest2#$file2}"
file2="${rest11%$rest2}"
fi
done
if [[ "$file2" != "" ]]; then
in_file="-i$file2"
fi
rest2="${rest11#$file2}"
}
IFS=$sep a="$@"
IFS=' '
if [[ "$a" = "" ]]; then
if [[ "$SHELL" = *csh ]]; then
echo "setenv LESSOPEN \"|$0 %s\""
else
echo "LESSOPEN=\"|$0 %s\""
echo "export LESSOPEN"
fi
else
show "$a"
fi
_______________________________________________
ast-developers mailing list
[email protected]
https://mailman.research.att.com/mailman/listinfo/ast-developers
