On 06/02/2025 01:29, Anton Moryakov wrote:
report
After having been compared to a NULL value at `if (dest.data) {`,
pointer 'dest.data' is passed in call to function 'o_addQchr'
at `o_addQchr(&dest, ch);`, where it is dereferenced at ` && strchr("*?[-\\"
MAYBE_BRACES, ch)`
This looks like a legitimate bug, but the patch is not right. It does
not fix all instances of the bug (the problem is that the case where
dest.length == dest.maxlen gets mishandled, which can happen when
dest.data == NULL as well as when dest.data != NULL), and in those cases
where it does prevent a crash, it prevents a crash by doing the wrong thing.
In o_addqchr, care is taken to ensure that o_grow_by() is called before
o->data is accessed. This was done as part of
<https://git.busybox.net/busybox/commit/?id=371de4acf7eb345bf8c92f257f9a14342603e59a>,
but only for o_addqchr, not for o_addQchr. That same change should be
done for o_addQchr.
Cheers,
Harald van Dijk
_______________________________________________
busybox mailing list
[email protected]
https://lists.busybox.net/mailman/listinfo/busybox
