[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: [PATCH] fix minor memory issues in vi and cpio
From: Sarah Harris <S.E.Harris () kent ! ac ! uk>
Date: 2021-06-24 11:30:52
Message-ID: DB7PR01MB4092F80EE708C87FF7CB85CCF7079 () DB7PR01MB4092 ! eurprd01 ! prod ! exchangelabs ! com
[Download RAW message or body]
No, the write here:
while (isalnum_(*++p)) {
--> p[-1] = *p;
}
I can demonstrate my example by adding some printf's.
With the attached patch applied, the command "./busybox awk -e foo" produces this \
output: argv[0]: 0x7ffec28dde2d "awk"
argv[1]: 0x7ffec28dde31 "-e"
argv[2]: 0x7ffec28dde34 "foo"
program: 0x7ffec28dde34 "foo"
write: 0x7ffec28dde33 0x00
write: 0x7ffec28dde34 f 0x66
write: 0x7ffec28dde35 o 0x6f
The first write to p[-1] is before argv[2] (i.e. before the program buffer), and \
overwrites the null at the end of argv[1]. This probably works, so long as argv[1] is \
always there to overwrite and isn't read afterward.
Kind regards,
Sarah Harris
["debug.patch" (text/x-patch)]
diff --git a/editors/awk.c b/editors/awk.c
index 5f1d670a4..cf9db3df5 100644
--- a/editors/awk.c
+++ b/editors/awk.c
@@ -1217,8 +1217,10 @@ static uint32_t next_token(uint32_t expected)
if (!isalnum_(*p))
syntax_error(EMSG_UNEXP_TOKEN); /* no */
/* yes */
+ printf("program: %p \"%s\"\n", p, p);
t_string = --p;
while (isalnum_(*++p)) {
+ printf("write: %p %c 0x%02x\n", &p[-1], p[-1], p[-1]);
p[-1] = *p;
}
p[-1] = '\0';
@@ -3351,6 +3353,10 @@ int awk_main(int argc UNUSED_PARAM, char **argv)
char **envp;
char *vnames = (char *)vNames; /* cheat */
char *vvalues = (char *)vValues;
+ int index;
+ for (index=0; argv[index]; index++) {
+ printf("argv[%d]: %p \"%s\"\n", index, argv[index], argv[index]);
+ }
INIT_G();
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic