From a7fe8d598ce8f4b0163ba72609aaa2c66f6a4315 Mon Sep 17 00:00:00 2001 From: Rob Landley Date: Sat, 5 Sep 2020 04:06:06 -0500 Subject: Fix segfault for sh -c 'echo {a..Z}' Bash produces different output for that test, but I'm not sure I care? http://lists.landley.net/pipermail/toybox-landley.net/2020-September/011990.html The problem is parse_word() guarantees its output's quotes/escapes are completed, but brace expansion happens after parse_word() and thus violating assumptions later code depends on to not do redundant error checking. The easy fix is to escape punctuation produced by parse_word (which in bash can only happen when you span upper and lower case ranges so "\" is the only interesting character). I could special case this to match bash exactly, but I'm waiting for someone to complain instead. --- toys/pending/sh.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'toys/pending') diff --git a/toys/pending/sh.c b/toys/pending/sh.c index 797b96a3..4c3735d7 100644 --- a/toys/pending/sh.c +++ b/toys/pending/sh.c @@ -1417,10 +1417,10 @@ static int expand_arg(struct sh_arg *arg, char *old, unsigned flags, if (!bnext || bb->cnt<0 || bnext->commas[0]>bb->commas[bb->idx+1]) { // output uninterrupted span - if (bb->cnt<0) - s += sprintf(s, (bb->cnt==-1) ? "%c" : "%d", - bb->commas[2]+bb->commas[4]*bb->idx); - else { + if (bb->cnt<0) { + k = bb->commas[2]+bb->commas[4]*bb->idx; + s += sprintf(s, (bb->cnt==-1) ? "\\%c"+!ispunct(k) : "%d", k); + } else { i = bb->commas[bstk->idx]+1; s = stpncpy(s, old+i, bb->commas[bb->idx+1]-i); } -- cgit v1.2.3