bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bash 2.05 'unsigned char' cleanup


From: Paul Eggert
Subject: Re: Bash 2.05 'unsigned char' cleanup
Date: Mon, 7 May 2001 16:30:13 -0700 (PDT)

> From: "Brian J. Fox" <address@hidden>
> Date: Mon, 07 May 2001 14:03:00 -0700
> 
> I don't see the overrun code.  Perhaps you could explain it to me?

Sure.  Here's the scenario (all done by code inspection):

shell_execve is invoked on a non-directory file where execve fails
with errno==ENOEXEC because we are running on a losing operating
system where HAVE_HASH_BANG_EXEC is not defined.  shell_execve then
reads the first 80 bytes of the file (which are '#', '!', and 78
spaces) into an internal buffer, and invokes execute_shell_script.
execute_shell_script contains the following code:

  /* Find the name of the interpreter to exec. */
  for (i = 2; whitespace (sample[i]) && i < sample_len; i++)
    ;

This code runs off the end of 'sample' because when i==80 it inspects
sample[i] before checking that (i < sample_len) is zero; that is a
subscript error, since 'sample' has only 80 bytes.

This is only an off-by-one subscript error, so I don't think it'll be
much of a problem in practice, except on debuggers that try to catch
all subscript errors.

The simplest fix is to add one byte to 'sample' and to initialize it
to zero, which is what my proposed patch does.  Once you do this, the
code gets a bit simpler anyway.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]