On Thu, Jul 13, 2006 at 02:55:24PM +0200, Viktor Griph wrote: > On Thu, 13 Jul 2006, Dominik Vogt wrote: > > >On Thu, Jul 13, 2006 at 09:25:09AM +0200, Viktor Griph wrote: > >>On Thu, 13 Jul 2006, Scott Smedley wrote: > >> > >>>Hi all, > >>> > >>>I think there is a bug in FVWM's parameter expansion. > >>>FVWM crashes with a simple command such as: > >>> > >>>Echo $[0] > >>> > >>>I am looking at this problem in GDB. The variable 'm', suddenly has a > >>>huge value when I reach line 918 of fvwm/expand.c: > >>> > >>>if (input[m] == ']') > >>> > >>>Then I get a SEGV because this is an illegal memory access. > >>> > >>>Can anyone else confirm this problem? > >>> > >> > >>I can'tr make it crash with just Echo $[0]. However the following make it > >>crash 100%: > >> > >>AddToFunc TestFunc I Echo $[0] > >>TestFunc $[0] > >> > >>I'll investigate that further after breakfast to see if it's the same > >>crash, or a different one. > > > >There are several bugs/crashes in expand_args_extended(): > > > >1) It does not check the range of the positional parameters. It > > happily parses and uses for example $[999]. I didn't try it, > > but I guess it causes random memory access. > > > I believe that SkipNTokens just stops when there is no more to consume. > Then $[999] will be empty if there are less then 1000 words in the string. > > > >2) In the "if (is_single_arg)" it uses the token returned by > > PeekToken as the base for further parsing functions. This is > > strictly forbidden because PeekToken returns a pointer to a > > static buffer. > > > Not true. With 'is_single_arg' true 'upper' will always be -1, so no other > parse-function will be called on the string.
Then, why do you not write if (is_single_arg) ... *else* if (upper >= 0) ... ? -- Hm, now that I think about it, the new functionality deviates from the way the old $0 ... worked in important ways which should be fixed: * A range of args like $[0-1] is expanded to the original text, not the unquoted form. I.e. in 'foo "a0" "a1" "a2"' $[0-1] is expanded to '"a0" "a1"' but should be expanded to 'a0 a1'. * Currently, $* is broken too as it does not remove quoting but just copies the input string. * According to the man page, things like $[*] or $[3-] are removed from the command line if there are no arguments. This is wrong as it prevents that the string '$[*]' is passed to another command. These variable should not be treated specially. Currently, not even $[0] is identical to $0. * The code is written too complicated too understand easily (as you can see from the fact that I only understood about 50% of it), and it's nested too deep. Ciao Dominik ^_^ ^_^ -- Dominik Vogt, [EMAIL PROTECTED]
signature.asc
Description: Digital signature