From a1ea6bb8ea8143cc18fa00703e58819929501654 Mon Sep 17 00:00:00 2001 From: Rob Landley Date: Mon, 15 Dec 2014 03:34:55 -0600 Subject: [PATCH] Fix yet another sed bug. The s/// command would copy the \ of substitutions before deciding what to do with them (generally overwriting the \ with the new data). When the substitution was A) at the very end of the new string, B) resolved to nothing, it could leave a trailing \ that didn't belong there and didn't get overwritten because the "copy trailing data" part that copies the original string's null terminator already happened before the \ overwrote it. The ghostwheel() function restarts regexes after embedded NUL bytes, but if the string it's passed is _longer_ than the length it's told then it gets confused (and it means we're off the end of our allocation so segfaults are likely). Fix: test for \ first and move the "copy byte" logic into an else case. --- toys/pending/sed.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/toys/pending/sed.c b/toys/pending/sed.c index fd5352a..8703806 100644 --- a/toys/pending/sed.c +++ b/toys/pending/sed.c @@ -512,25 +512,28 @@ static void walk_pattern(char **pline, long plen) for (off = mlen = 0; new[off]; off++) { int cc = 0, ll; - if ((rswap[mlen++] = new[off]) == '\\') { + if (new[off] == '\\') { cc = new[++off] - '0'; if (cc<0 || cc>9) { - if (!(rswap[mlen-1] = unescape(new[off]))) + if (!(rswap[mlen++] = unescape(new[off]))) rswap[mlen-1] = new[off]; continue; } else if (match[cc].rm_so == -1) error_exit("no s//\\%d/", cc); - } else if (new[off] != '&') continue; + } else if (new[off] != '&') { + rswap[mlen++] = new[off]; + + continue; + } ll = match[cc].rm_eo-match[cc].rm_so; - memcpy(rswap+(--mlen), rline+match[cc].rm_so, ll); + memcpy(rswap+mlen, rline+match[cc].rm_so, ll); mlen += ll; } rline = rswap+newlen; free(line); line = swap; - len = rlen+(rline-line); // Stop after first substitution unless we have flag g if (!(logrus->sflags & 2)) break; -- 2.7.4