fixes for several bugs found via fuzzing: overflow in $'...' hex expansion; fix for accessing freed memory when reading input from stdin and using multiple redirections to stdin; fix for pointer aliasing problem after a syntax error while executing a command string

This commit is contained in:
Chet Ramey
2025-12-30 16:06:40 -05:00
parent 722a855459
commit 4b27601dfd
10 changed files with 235 additions and 11 deletions
+11 -2
View File
@@ -130,7 +130,7 @@ ansicstr (const char *string, size_t len, int flags, int *sawc, size_t *rlen)
c &= 0xFF;
break;
case 'x': /* Hex digit -- non-ANSI */
if ((flags & 2) && *s == '{')
if ((flags & 2) && *s == '{') /* undocumented */
{
flags |= 16; /* internal flag value */
s++;
@@ -143,8 +143,17 @@ ansicstr (const char *string, size_t len, int flags, int *sawc, size_t *rlen)
chars are consumed. */
if (flags & 16)
{
v = c;
for ( ; ISXDIGIT ((unsigned char)*s); s++)
c = (c * 16) + HEXVALUE (*s);
{
v = (v * 16) + HEXVALUE (*s);
if (v > INT_MAX) /* abandon on overflow */
{
v &= INT_MAX;
break;
}
}
c = v;
flags &= ~16;
if (*s == '}')
s++;