• use wdcopy() not str_save() to duplicate an “encoded string”, whatever

• prevent out-of-bounds memory access, cought by glibc malloc on IA-64
This commit is contained in:
tg
2007-03-14 02:41:09 +00:00
parent dbf38a152d
commit 7071cada42
3 changed files with 8 additions and 7 deletions

7
eval.c
View File

@@ -2,7 +2,7 @@
#include "sh.h"
__RCSID("$MirOS: src/bin/mksh/eval.c,v 1.24 2007/03/04 03:04:24 tg Exp $");
__RCSID("$MirOS: src/bin/mksh/eval.c,v 1.25 2007/03/14 02:41:08 tg Exp $");
#ifdef MKSH_SMALL
#define MKSH_NOPWNAM
@@ -279,10 +279,11 @@ expand(const char *cp, /* input word */
char *beg, *end, *str;
sp = varname - 2; /* restore sp */
end = (beg = str_save(sp, ATEMP)) +
end = (beg = wdcopy(sp, ATEMP)) +
(wdscan(sp, CSUBST) - sp);
/* ({) the } or x is already skipped */
*end = EOS;
if (end < wdscan(beg, EOS))
*end = EOS;
str = snptreef(NULL, 64, "%S", beg);
afree(beg, ATEMP);
errorf("%s: bad substitution", str);