On 28/03/2018 11:52, Herbert Xu wrote:
On Wed, Mar 28, 2018 at 08:44:28AM +0200, Harald van Dijk wrote:


Test case:

   $v='*\'
   set -- $v

I don't see how this would cause an overrun, can you please explain
it for me?

Line numbers are from 0.5.9.1.

When expanded backslashes are no longer treated as quoted, this would call expmeta() with the pattern *\, that is with a single unquoted trailing backslash, so:

expand.c:1333

                        if (*p == '\\')
                                esc++;
                        if (p[esc] == '/') {

The first if statement will be hit and set esc to 1. p[esc] is then '\0', so the second if block doesn't get entered and the outer loop continues:

expand.c:1315

        for (p = name; esc = 0, *p; p += esc + 1) {

p += esc + 1 will increase p by 2, letting it point just past the terminating '\0'. The loop condition of *p now accesses the byte just past the pattern.

Cheers,
Harald van Dijk
--
To unsubscribe from this list: send the line "unsubscribe dash" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to