diff options
| author | Rob Landley <rob@landley.net> | 2014-12-15 03:34:55 -0600 |
|---|---|---|
| committer | Rob Landley <rob@landley.net> | 2014-12-15 03:34:55 -0600 |
| commit | a1ea6bb8ea8143cc18fa00703e58819929501654 (patch) | |
| tree | b188aa86e6016af475a8ce80bcdc2c0a780bb415 | |
| parent | 807a50d89976e2de081d487a54e8e109d49f0a6d (diff) | |
| download | toybox-a1ea6bb8ea8143cc18fa00703e58819929501654.tar.gz | |
Fix yet another sed bug.
The s/// command would copy the \ of substitutions before deciding what to
do with them (generally overwriting the \ with the new data). When the
substitution was A) at the very end of the new string, B) resolved to nothing,
it could leave a trailing \ that didn't belong there and didn't get overwritten
because the "copy trailing data" part that copies the original string's null
terminator already happened before the \ overwrote it.
The ghostwheel() function restarts regexes after embedded NUL bytes, but
if the string it's passed is _longer_ than the length it's told then it
gets confused (and it means we're off the end of our allocation so segfaults
are likely).
Fix: test for \ first and move the "copy byte" logic into an else case.
| -rw-r--r-- | toys/pending/sed.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/toys/pending/sed.c b/toys/pending/sed.c index fd5352a0..87038064 100644 --- a/toys/pending/sed.c +++ b/toys/pending/sed.c @@ -512,25 +512,28 @@ static void walk_pattern(char **pline, long plen) for (off = mlen = 0; new[off]; off++) { int cc = 0, ll; - if ((rswap[mlen++] = new[off]) == '\\') { + if (new[off] == '\\') { cc = new[++off] - '0'; if (cc<0 || cc>9) { - if (!(rswap[mlen-1] = unescape(new[off]))) + if (!(rswap[mlen++] = unescape(new[off]))) rswap[mlen-1] = new[off]; continue; } else if (match[cc].rm_so == -1) error_exit("no s//\\%d/", cc); - } else if (new[off] != '&') continue; + } else if (new[off] != '&') { + rswap[mlen++] = new[off]; + + continue; + } ll = match[cc].rm_eo-match[cc].rm_so; - memcpy(rswap+(--mlen), rline+match[cc].rm_so, ll); + memcpy(rswap+mlen, rline+match[cc].rm_so, ll); mlen += ll; } rline = rswap+newlen; free(line); line = swap; - len = rlen+(rline-line); // Stop after first substitution unless we have flag g if (!(logrus->sflags & 2)) break; |