On Thu, Jul 13, 2006 at 09:25:09AM +0200, Viktor Griph wrote: > On Thu, 13 Jul 2006, Scott Smedley wrote: > > >Hi all, > > > >I think there is a bug in FVWM's parameter expansion. > >FVWM crashes with a simple command such as: > > > >Echo $[0] > > > >I am looking at this problem in GDB. The variable 'm', suddenly has a > >huge value when I reach line 918 of fvwm/expand.c: > > > >if (input[m] == ']') > > > >Then I get a SEGV because this is an illegal memory access. > > > >Can anyone else confirm this problem? > > > > I can'tr make it crash with just Echo $[0]. However the following make it > crash 100%: > > AddToFunc TestFunc I Echo $[0] > TestFunc $[0] > > I'll investigate that further after breakfast to see if it's the same > crash, or a different one.
There are several bugs/crashes in expand_args_extended():
1) It does not check the range of the positional parameters. It
happily parses and uses for example $[999]. I didn't try it,
but I guess it causes random memory access.
2) In the "if (is_single_arg)" it uses the token returned by
PeekToken as the base for further parsing functions. This is
strictly forbidden because PeekToken returns a pointer to a
static buffer.
3) As I said in an earlier message, PeekToken never returns an
empty string. Calling PeekToken("", ...) returns a NULL
pointer which the code accessed later.
I've fixed all three.
Ciao
Dominik ^_^ ^_^
--
Dominik Vogt, [EMAIL PROTECTED]
signature.asc
Description: Digital signature
