dc: fix crashes with : operator (thanks istvan bak)

dc crashes because a Blk* sometimes ends getting double freed.
To make it crash, any of these lines will do:
(each line is a separate input to dc):

1 sa 2 :a le d sa v :a
1 sa 2 :a le d sa :a
1 sa 2 :a le d sa c

Fix by assigning p to sptr->val before EMTPY causes a jump.

Additionally, dcgetwd() can return 0. all other uses check for
0 ptr; Also fix a buffer overflow.
This commit is contained in:
Ori Bernstein 2020-11-21 17:56:34 -08:00
parent 03f209427b
commit ad9b1234c3

View file

@ -638,8 +638,11 @@ commnds(void)
p = sptr->val; p = sptr->val;
if(c >= ARRAYST) { if(c >= ARRAYST) {
rewind(p); rewind(p);
while(sfeof(p) == 0) while(sfeof(p) == 0) {
release(dcgetwd(p)); q = dcgetwd(p);
if(q != 0)
release(q);
}
} }
release(p); release(p);
} else { } else {
@ -711,6 +714,7 @@ commnds(void)
p = q; p = q;
} }
} }
sptr->val = p;
seekc(p,c*PTRSZ); seekc(p,c*PTRSZ);
q = lookwd(p); q = lookwd(p);
if(q!=0) if(q!=0)
@ -718,7 +722,6 @@ commnds(void)
s = pop(); s = pop();
EMPTY; EMPTY;
salterwd(p, s); salterwd(p, s);
sptr->val = p;
continue; continue;
case ';': case ';':
p = pop(); p = pop();
@ -1921,7 +1924,8 @@ command(void)
sl = line; sl = line;
*sl++ = c; *sl++ = c;
while((c = readc()) != '\n') while((c = readc()) != '\n')
*sl++ = c; if(sl-line < sizeof(line)-1)
*sl++ = c;
*sl = 0; *sl = 0;
if((pid = fork()) == 0) { if((pid = fork()) == 0) {
execl("/bin/rc","rc","-c",line,nil); execl("/bin/rc","rc","-c",line,nil);