fix access-after-free crash spotted by Enjolras via IRC, thanks!

2014-06-29 11:28:28 +00:00
parent a375a7b2b6
commit e4c01375aa
3 changed files with 11 additions and 12 deletions
--- a/lex.c
+++ b/lex.c
@@ -23,7 +23,7 @@

 #include "sh.h"

-__RCSID("$MirOS: src/bin/mksh/lex.c,v 1.192 2014/01/11 18:09:40 tg Exp $");
+__RCSID("$MirOS: src/bin/mksh/lex.c,v 1.193 2014/06/29 11:28:28 tg Exp $");

 /*
 * states while lexing word
@@ -159,9 +159,10 @@ getsc_r(int c)
 	state = statep->type;					\
 } while (/* CONSTCOND */ 0)

-#define PUSH_SRETRACE()	do {					\
+#define PUSH_SRETRACE(s) do {					\
 	struct sretrace_info *ri;				\
 								\
+	PUSH_STATE(s);						\
 	statep->ls_start = Xsavepos(ws, wp);			\
 	ri = alloc(sizeof(struct sretrace_info), ATEMP);	\
 	Xinit(ri->xs, ri->xp, 64, ATEMP);			\
@@ -176,6 +177,7 @@ getsc_r(int c)
 	dp = (void *)retrace_info;				\
 	retrace_info = retrace_info->next;			\
 	afree(dp, ATEMP);					\
+	POP_STATE();						\
 } while (/* CONSTCOND */ 0)

 /**
@@ -404,9 +406,8 @@ yylex(int cf)
 					c = getsc();
 					if (c == '(') /*)*/ {
 						*wp++ = EXPRSUB;
-						PUSH_STATE(SASPAREN);
+						PUSH_SRETRACE(SASPAREN);
 						statep->nparen = 2;
-						PUSH_SRETRACE();
 						*retrace_info->xp++ = '(';
 					} else {
 						ungetsc(c);
@@ -650,7 +651,6 @@ yylex(int cf)
 				if (statep->nparen == 1) {
 					/* end of EXPRSUB */
 					POP_SRETRACE();
-					POP_STATE();

 					if ((c2 = getsc()) == /*(*/ ')') {
 						cz = strlen(sp) - 2;
@@ -833,8 +833,7 @@ yylex(int cf)
 				} else if (c2 == '"') {
 					/* FALLTHROUGH */
 			case '"':
-					state = statep->type = SHEREDQUOTE;
-					PUSH_SRETRACE();
+					PUSH_SRETRACE(SHEREDQUOTE);
 					break;
 				}
 				ungetsc(c2);