Gitiles
Code Review Sign In
gerrit.nordix.org / codeaurora / busybox / 7c2a3bdde0a1316771fdd07ff03413f00383f70e^! / .
commit7c2a3bdde0a1316771fdd07ff03413f00383f70e[log] [tgz]
authorSören Tempel <soeren@soeren-tempel.net>Tue Aug 02 18:23:32 2022 +0200
committerDenys Vlasenko <vda.linux@googlemail.com>Tue Aug 02 18:27:41 2022 +0200
treedd65c7c05bc5985ef21d46e76a455df13e2a0dfd
parent84b89b4c22ab7c8348d00e31d5319fad6e43defe [diff]
ash: fix use-after-free in bash pattern substitution

function                                             old     new   delta
subevalvar                                          1566    1564      -2

Signed-off-by: Sören Tempel <soeren@soeren-tempel.net>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

diff --git a/shell/ash.c b/shell/ash.c
index 105edd4..55c1034 100644
--- a/shell/ash.c
+++ b/shell/ash.c

@@ -7357,6 +7357,13 @@
 				idx = loc;
 			}
 
+			/* The STPUTC invocations above may resize and move the
+			 * stack via realloc(3). Since repl is a pointer into the
+			 * stack, we need to reconstruct it relative to stackblock().
+			 */
+			if (slash_pos >= 0)
+				repl = (char *)stackblock() + strloc + slash_pos + 1;
+
 			//bb_error_msg("repl:'%s'", repl);
 			for (loc = (char*)repl; *loc; loc++) {
 				char *restart_detect = stackblock();