projects / platform / upstream / toybox.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 807a50d)
Fix yet another sed bug.
authorRob Landley <rob@landley.net>
Mon, 15 Dec 2014 09:34:55 +0000 (03:34 -0600)
committerRob Landley <rob@landley.net>
Mon, 15 Dec 2014 09:34:55 +0000 (03:34 -0600)
The s/// command would copy the \ of substitutions before deciding what to
do with them (generally overwriting the \ with the new data). When the
substitution was A) at the very end of the new string, B) resolved to nothing,
it could leave a trailing \ that didn't belong there and didn't get overwritten
because the "copy trailing data" part that copies the original string's null
terminator already happened before the \ overwrote it.

The ghostwheel() function restarts regexes after embedded NUL bytes, but
if the string it's passed is _longer_ than the length it's told then it
gets confused (and it means we're off the end of our allocation so segfaults
are likely).

Fix: test for \ first and move the "copy byte" logic into an else case.

toys/pending/sed.c patch | blob | history

diff --git a/toys/pending/sed.c b/toys/pending/sed.c
index fd5352a..8703806 100644 (file)
--- a/toys/pending/sed.c
+++ b/toys/pending/sed.c
@@ -512,25 +512,28 @@ static void walk_pattern(char **pline, long plen)
         for (off = mlen = 0; new[off]; off++) {
           int cc = 0, ll;
 
-          if ((rswap[mlen++] = new[off]) == '\\') {
+          if (new[off] == '\\') {
             cc = new[++off] - '0';
             if (cc<0 || cc>9) {
-              if (!(rswap[mlen-1] = unescape(new[off])))
+              if (!(rswap[mlen++] = unescape(new[off])))
                 rswap[mlen-1] = new[off];
 
               continue;
             } else if (match[cc].rm_so == -1) error_exit("no s//\\%d/", cc);
-          } else if (new[off] != '&') continue;
+          } else if (new[off] != '&') {
+            rswap[mlen++] = new[off];
+
+            continue;
+          }
 
           ll = match[cc].rm_eo-match[cc].rm_so;
-          memcpy(rswap+(--mlen), rline+match[cc].rm_so, ll);
+          memcpy(rswap+mlen, rline+match[cc].rm_so, ll);
           mlen += ll;
         }
 
         rline = rswap+newlen;
         free(line);
         line = swap;
-        len = rlen+(rline-line);
 
         // Stop after first substitution unless we have flag g
         if (!(logrus->sflags & 2)) break;
Domain: Network & Connectivity / Common;