No, the write here:
while (isalnum_(*++p)) {
--> p[-1] = *p;
}
I can demonstrate my example by adding some printf's.
With the attached patch applied, the command "./busybox awk -e foo" produces
this output:
argv[0]: 0x7ffec28dde2d "awk"
argv[1]: 0x7ffec28dde31 "-e"
argv[2]: 0x7ffec28dde34 "foo"
program: 0x7ffec28dde34 "foo"
write: 0x7ffec28dde33 0x00
write: 0x7ffec28dde34 f 0x66
write: 0x7ffec28dde35 o 0x6f
The first write to p[-1] is before argv[2] (i.e. before the program buffer),
and overwrites the null at the end of argv[1].
This probably works, so long as argv[1] is always there to overwrite and isn't
read afterward.
Kind regards,
Sarah Harris
diff --git a/editors/awk.c b/editors/awk.c
index 5f1d670a4..cf9db3df5 100644
--- a/editors/awk.c
+++ b/editors/awk.c
@@ -1217,8 +1217,10 @@ static uint32_t next_token(uint32_t expected)
if (!isalnum_(*p))
syntax_error(EMSG_UNEXP_TOKEN); /* no */
/* yes */
+ printf("program: %p \"%s\"\n", p, p);
t_string = --p;
while (isalnum_(*++p)) {
+ printf("write: %p %c 0x%02x\n", &p[-1], p[-1], p[-1]);
p[-1] = *p;
}
p[-1] = '\0';
@@ -3351,6 +3353,10 @@ int awk_main(int argc UNUSED_PARAM, char **argv)
char **envp;
char *vnames = (char *)vNames; /* cheat */
char *vvalues = (char *)vValues;
+ int index;
+ for (index=0; argv[index]; index++) {
+ printf("argv[%d]: %p \"%s\"\n", index, argv[index], argv[index]);
+ }
INIT_G();
_______________________________________________
busybox mailing list
[email protected]
http://lists.busybox.net/mailman/listinfo/busybox
