github-mirror/fish-shell
github-mirror/fish-shell
2
0
Fork 0
mirror of https://github.com/fish-shell/fish-shell.git synced 2025-02-21 00:14:57 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix a dereference-past-the-end bug in read_redirection_or_fd_pipe

Browse Source 
Fixes #2464. Credit to zanchey for reporting it and ASAN for finding it!
This commit is contained in:
ridiculousfish 2015-10-07 11:38:13 -07:00
parent 1bdf06836a
commit e8605cb3ef
1 changed files with 23 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
src/tokenizer.cpp
View File

@ -466,31 +466,33 @@ static size_t read_redirection_or_fd_pipe(const wchar_t *buff, enum token_type *
errored = true;
}
/* Optional characters like & or ?, or the pipe char | */
wchar_t opt_char = buff[idx];
if (opt_char == L'&')
{
redirection_mode = TOK_REDIRECT_FD;
idx++;
}
else if (opt_char == L'?')
{
redirection_mode = TOK_REDIRECT_NOCLOB;
idx++;
}
else if (opt_char == L'|')
{
/* So the string looked like '2>|'. This is not a redirection - it's a pipe! That gets handled elsewhere. */
redirection_mode = TOK_PIPE;
idx++;
}
/* Don't return valid-looking stuff on error */
if (errored)
{
idx = 0;
redirection_mode = TOK_NONE;
}
else
{
/* Optional characters like & or ?, or the pipe char | */
wchar_t opt_char = buff[idx];
if (opt_char == L'&')
{
redirection_mode = TOK_REDIRECT_FD;
idx++;
}
else if (opt_char == L'?')
{
redirection_mode = TOK_REDIRECT_NOCLOB;
idx++;
}
else if (opt_char == L'|')
{
/* So the string looked like '2>|'. This is not a redirection - it's a pipe! That gets handled elsewhere. */
redirection_mode = TOK_PIPE;
idx++;
}
}
/* Return stuff */
if (out_redirection_mode != NULL)
@ -684,7 +686,9 @@ void tokenizer_t::tok_next()
enum token_type mode = TOK_NONE;
int fd = -1;
if (iswdigit(*this->buff))
{
consumed = read_redirection_or_fd_pipe(this->buff, &mode, &fd);
}
if (consumed > 0)
{