Ondrej Oprala
2015-04-08 14:29:09 UTC
Hi, please find attached a patch fixing an off-by-one error found by one
of our customers.
Reproducer:
# su - testksh
$
$
$
$ function dlog
$ >/tmp/blah
...
Segmentation fault (core dumped)
----
In a nutshell, when the debug trap is set, with static int jobsaveid
being placed in memory after the
static char* argv[1] changed in the patch; the sh_trace() function tries
to cycle through argv, probably expecting a NULL-terminated array( which
is what the second argv element is for), instead reading
jobsaveid's value and reading on until it gets to memory the process
doesn't own.
Cheers,
Ondrej
of our customers.
Reproducer:
# su - testksh
$
$
$
$ function dlog
{
fc -ln -0
}
$ trap dlog DEBUGfc -ln -0
}
$ >/tmp/blah
...
Segmentation fault (core dumped)
----
In a nutshell, when the debug trap is set, with static int jobsaveid
being placed in memory after the
static char* argv[1] changed in the patch; the sh_trace() function tries
to cycle through argv, probably expecting a NULL-terminated array( which
is what the second argv element is for), instead reading
jobsaveid's value and reading on until it gets to memory the process
doesn't own.
Cheers,
Ondrej