On 28/03/2018 08:23, Herbert Xu wrote:
On Wed, Mar 28, 2018 at 12:19:17AM +0200, Harald van Dijk wrote:
This introduces a buffer overread. When expmeta() sees a backslash, it
assumes it can just skip the next character, assuming the next character is
not a forward slash. By treating expanded backslashes as unquoted, it
becomes possible for the next character to be the terminating '\0'.
This code has always had to deal with naked backslashes. Can you
show me the exact pattern that results in the overread?
No, it hasn't, because expmeta() is not used in case patterns, and case
patterns are currently the only case where naked backslashes can appear.
In contexts where pathname expansion is performed, a backslash coming
from a variable will be escaped by another backslash in currently
released dash versions.
Test case:
$v='*\'
set -- $v
Cheers,
Harald van Dijk
--
To unsubscribe from this list: send the line "unsubscribe dash" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
