[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug #64124] Use after free in expand_variable_buf.
|
From: |
Dmitry Goncharov |
|
Subject: |
[bug #64124] Use after free in expand_variable_buf. |
|
Date: |
Sat, 29 Apr 2023 09:32:33 -0400 (EDT) |
Follow-up Comment #1, bug #64124 (project make):
There is use after free in expand_variable_buf.
When the expanded value of the variable in buf occupies more space than
avaiable in variable_buffer, function variable_buffer_output reallocates
variable_buffer.
This reallocation leaves buf in expand_variable_buf to point to an already
freed region of memory.
Can be observed by with a sufficiently large value of MAKEFLAGS.
$ cat makefile
$(info hello=$(hello))
all:
$ v=12345
$ echo ${#v}
5
$ MAKEFLAGS=" -- hello=$v" make
hello=12345
make: Nothing to be done for 'all'.
$ v=$( for k in {1..90}; do echo -n $k; done )
$ echo ${#v}
171
$ MAKEFLAGS=" -- hello=$v" make
hello=123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990
make: Nothing to be done for 'all'.
$ v=$( for k in {1..110}; do echo -n $k; done )
$ echo ${#v}
222
$ MAKEFLAGS=" -- hello=$v" make
: invalid option -- '�'
: invalid option -- '�'
: invalid option -- '�'
: invalid option -- '�'
: invalid option -- '^'
: invalid option -- 'U'
Usage: make [options] [target] ...
Options:
-b, -m Ignored for compatibility.
-B, --always-make Unconditionally make all targets.
...
_______________________________________________________
Reply to this item at:
<https://savannah.gnu.org/bugs/?64124>
_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/