Tomas Klacko
2015-08-27 15:51:23 UTC
Hi,
$ read -u2000000
Segmentation Fault (core dumped)
$
The crash happens in b_read() in src/cmd/ksh93/bltins/read.c:
126 case 'u':
127 fd = (int)opt_info.num;
128 if(sh_inuse(shp,fd))
129 fd = -1;
130 break;
Because fd is too large, it is not in use, so fd is not set to -1.
Then the fdstatus is indexed with fd and ksh crashes:
144 if(!((r=shp->fdstatus[fd])&IOREAD) || !(r&(IOSEEK|IONOSEEK)))
145 r = sh_iocheckfd(shp,fd);
1. Is this the correct fix?:
diff --git a/src/cmd/ksh93/bltins/read.c b/src/cmd/ksh93/bltins/read.c
index 775de72..7228fb8 100644
--- a/src/cmd/ksh93/bltins/read.c
+++ b/src/cmd/ksh93/bltins/read.c
@@ -124,6 +124,8 @@ int b_read(int argc,char *argv[], void *extra)
flags |= S_FLAG;
break;
case 'u':
+ if((opt_info.num>=shp->gd->lim.open_max)||(opt_info.num<0))
+
errormsg(SH_DICT,ERROR_exit(1),e_file,opt_info.arg);
fd = (int)opt_info.num;
if(sh_inuse(shp,fd))
fd = -1;
2. Is shp->fdstatus[-1] ok to do?
(happens on line 144 when fd is -1)
Tomas Klacko
$ read -u2000000
Segmentation Fault (core dumped)
$
The crash happens in b_read() in src/cmd/ksh93/bltins/read.c:
126 case 'u':
127 fd = (int)opt_info.num;
128 if(sh_inuse(shp,fd))
129 fd = -1;
130 break;
Because fd is too large, it is not in use, so fd is not set to -1.
Then the fdstatus is indexed with fd and ksh crashes:
144 if(!((r=shp->fdstatus[fd])&IOREAD) || !(r&(IOSEEK|IONOSEEK)))
145 r = sh_iocheckfd(shp,fd);
1. Is this the correct fix?:
diff --git a/src/cmd/ksh93/bltins/read.c b/src/cmd/ksh93/bltins/read.c
index 775de72..7228fb8 100644
--- a/src/cmd/ksh93/bltins/read.c
+++ b/src/cmd/ksh93/bltins/read.c
@@ -124,6 +124,8 @@ int b_read(int argc,char *argv[], void *extra)
flags |= S_FLAG;
break;
case 'u':
+ if((opt_info.num>=shp->gd->lim.open_max)||(opt_info.num<0))
+
errormsg(SH_DICT,ERROR_exit(1),e_file,opt_info.arg);
fd = (int)opt_info.num;
if(sh_inuse(shp,fd))
fd = -1;
2. Is shp->fdstatus[-1] ok to do?
(happens on line 144 when fd is -1)
Tomas Klacko