size_t issue in expand_string_dollar

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

size_t issue in expand_string_dollar_quote

From:	Grisha Levit
Subject:	size_t issue in expand_string_dollar_quote
Date:	Wed, 29 Mar 2023 18:28:37 -0400

bash --norc -in <<<$'"\e\cE'

ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 wrap_strncpy+0x228
    #1 expand_string_dollar_quote subst.c:4108
    #2 shell_expand_line bashline.c:2887

probably not the cleanest fix but the issue is here:

diff --git a/subst.c b/subst.c
index 2ff9b7c2..35c0fdd1 100644
--- a/subst.c
+++ b/subst.c
@@ -4100,7 +4100,7 @@ expand_string_dollar_quote (const char *string, int flags)
            news = skip_single_quoted (string, slen, ++sindex, SX_COMPLETE);
          else
            news = skip_double_quoted (string, slen, ++sindex, SX_COMPLETE);
-         translen = news - sindex - 1;
+         translen = (news > sindex) ? news - sindex - 1 : 0;
          RESIZE_MALLOCED_BUFFER (ret, retind, translen + 3, retsize, 64);
          ret[retind++] = c;
          if (translen > 0)

[Prev in Thread]

Current Thread

[Next in Thread]

size_t issue in expand_string_dollar_quote, Grisha Levit <=
- Re: size_t issue in expand_string_dollar_quote, Chet Ramey, 2023/03/31

Prev by Date: Re: [PATCH 3/4] Port unwind protection to C23
Next by Date: IFS field splitting doesn't conform with POSIX
Previous by thread: missing emails posted to list
Next by thread: Re: size_t issue in expand_string_dollar_quote
Index(es):
- Date
- Thread