On Sat, May 31, 2014 at 08:21:31AM -0700, Pasha Bolokhov wrote:
> + char *p, *last_space = NULL;
> +
> + for (p = buf; *p; p++)
> + if (*p == ' ') {
> + if (!last_space)
> + last_space = p;
> + } else {
> + if (*p == '\\')
> + p++;
> + last_space = NULL;
> + }
Your backslash-escape works here by incrementing "p" an extra time. So
we move past the backslash to the next character (which is escaped), and
then the for-loop increments it again to the character beyond that,
which is the next one worth considering.
What happens if we are parsing a string with an unmatched backslash at
the end of the string, like:
foo\
We consider the end-of-string NUL to be escaped, skip it, and then keep
reading whatever random bytes are in memory after the string.
The original version did not have a problem with this because it used
a length, which meant that "i < len" caught this case.
I think you either need to insert an extra check for "!p[1]" when moving
past the escaped character, or move back to a length-based check.
-Peff
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html