dc: fix crashes with : operator (thanks istvan bak)
dc crashes because a Blk* sometimes ends getting double freed. To make it crash, any of these lines will do: (each line is a separate input to dc): 1 sa 2 :a le d sa v :a 1 sa 2 :a le d sa :a 1 sa 2 :a le d sa c Fix by assigning p to sptr->val before EMTPY causes a jump. Additionally, dcgetwd() can return 0. all other uses check for 0 ptr; Also fix a buffer overflow.
This commit is contained in:
Ori Bernstein
parent
03f209427b
commit
ad9b1234c3
|
|
@ -638,8 +638,11 @@ commnds(void)
|
||||||
p = sptr->val;
|
p = sptr->val;
|
||||||
if(c >= ARRAYST) {
|
if(c >= ARRAYST) {
|
||||||
rewind(p);
|
rewind(p);
|
||||||
while(sfeof(p) == 0)
|
while(sfeof(p) == 0) {
|
||||||
release(dcgetwd(p));
|
q = dcgetwd(p);
|
||||||
|
if(q != 0)
|
||||||
|
release(q);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
release(p);
|
release(p);
|
||||||
} else {
|
} else {
|
||||||
|
|
@ -711,6 +714,7 @@ commnds(void)
|
||||||
p = q;
|
p = q;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
sptr->val = p;
|
||||||
seekc(p,c*PTRSZ);
|
seekc(p,c*PTRSZ);
|
||||||
q = lookwd(p);
|
q = lookwd(p);
|
||||||
if(q!=0)
|
if(q!=0)
|
||||||
|
|
@ -718,7 +722,6 @@ commnds(void)
|
||||||
s = pop();
|
s = pop();
|
||||||
EMPTY;
|
EMPTY;
|
||||||
salterwd(p, s);
|
salterwd(p, s);
|
||||||
sptr->val = p;
|
|
||||||
continue;
|
continue;
|
||||||
case ';':
|
case ';':
|
||||||
p = pop();
|
p = pop();
|
||||||
|
|
@ -1921,7 +1924,8 @@ command(void)
|
||||||
sl = line;
|
sl = line;
|
||||||
*sl++ = c;
|
*sl++ = c;
|
||||||
while((c = readc()) != '\n')
|
while((c = readc()) != '\n')
|
||||||
*sl++ = c;
|
if(sl-line < sizeof(line)-1)
|
||||||
|
*sl++ = c;
|
||||||
*sl = 0;
|
*sl = 0;
|
||||||
if((pid = fork()) == 0) {
|
if((pid = fork()) == 0) {
|
||||||
execl("/bin/rc","rc","-c",line,nil);
|
execl("/bin/rc","rc","-c",line,nil);
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue