On Sat, May 31, 2014 at 08:21:31AM -0700, Pasha Bolokhov wrote:

> +     char *p, *last_space = NULL;
> +
> +     for (p = buf; *p; p++)
> +             if (*p == ' ') {
> +                     if (!last_space)
> +                             last_space = p;
> +             } else {
> +                     if (*p == '\\')
> +                             p++;
> +                     last_space = NULL;
> +             }

Your backslash-escape works here by incrementing "p" an extra time. So
we move past the backslash to the next character (which is escaped), and
then the for-loop increments it again to the character beyond that,
which is the next one worth considering.

What happens if we are parsing a string with an unmatched backslash at
the end of the string, like:


We consider the end-of-string NUL to be escaped, skip it, and then keep
reading whatever random bytes are in memory after the string.

The original version did not have a problem with this because it used
a length, which meant that  "i < len" caught this case.

I think you either need to insert an extra check for "!p[1]" when moving
past the escaped character, or move back to a length-based check.

To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to