On 28/03/2018 11:52, Herbert Xu wrote:
On Wed, Mar 28, 2018 at 08:44:28AM +0200, Harald van Dijk wrote:
Test case:
$v='*\'
set -- $v
I don't see how this would cause an overrun, can you please explain
it for me?
Line numbers are from 0.5.9.1.
When expanded backslashes are no longer treated as quoted, this would
call expmeta() with the pattern *\, that is with a single unquoted
trailing backslash, so:
expand.c:1333
if (*p == '\\')
esc++;
if (p[esc] == '/') {
The first if statement will be hit and set esc to 1. p[esc] is then
'\0', so the second if block doesn't get entered and the outer loop
continues:
expand.c:1315
for (p = name; esc = 0, *p; p += esc + 1) {
p += esc + 1 will increase p by 2, letting it point just past the
terminating '\0'. The loop condition of *p now accesses the byte just
past the pattern.
Cheers,
Harald van Dijk
--
To unsubscribe from this list: send the line "unsubscribe dash" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
