Date: Sun, 25 Jul 2010 22:25:52 +0000 (UTC) From: Jilles Tjoelker <jilles@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r210488 - in head: bin/sh tools/regression/bin/sh/parser Message-ID: <201007252225.o6PMPqLD077591@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jilles Date: Sun Jul 25 22:25:52 2010 New Revision: 210488 URL: http://svn.freebsd.org/changeset/base/210488 Log: sh: Fix crash due to uninitialized here-document. If an ; or & token was followed by an EOF token, pending here-documents were left uninitialized. Execution would crash, either in the main shell process for literal here-documents or in a child process for expanded here-documents. In the latter case the problem is hard to detect apart from the core dumps and log messages. Side effect: slightly different retries on inputs where EOF is not persistent. Note that tools/regression/bin/sh/parser/heredoc6.0 still causes a similar crash in a child process. The text passed to eval is malformed and should be rejected. Added: head/tools/regression/bin/sh/parser/heredoc7.0 (contents, props changed) Modified: head/bin/sh/parser.c Modified: head/bin/sh/parser.c ============================================================================== --- head/bin/sh/parser.c Sun Jul 25 21:59:12 2010 (r210487) +++ head/bin/sh/parser.c Sun Jul 25 22:25:52 2010 (r210488) @@ -269,6 +269,9 @@ list(int nlflag) parseheredoc(); if (nlflag) return n1; + } else if (tok == TEOF && nlflag) { + parseheredoc(); + return n1; } else { tokpushback++; } Added: head/tools/regression/bin/sh/parser/heredoc7.0 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/tools/regression/bin/sh/parser/heredoc7.0 Sun Jul 25 22:25:52 2010 (r210488) @@ -0,0 +1,19 @@ +# $FreeBSD$ + +# Some of these created malformed parse trees with null pointers for here +# documents, causing the here document writing process to segfault. +eval ': <<EOF' +eval ': <<EOF;' +eval '`: <<EOF`' +eval '`: <<EOF;`' +eval '`: <<EOF`;' +eval '`: <<EOF;`;' + +# Some of these created malformed parse trees with null pointers for here +# documents, causing sh to segfault. +eval ': <<\EOF' +eval ': <<\EOF;' +eval '`: <<\EOF`' +eval '`: <<\EOF;`' +eval '`: <<\EOF`;' +eval '`: <<\EOF;`;'
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201007252225.o6PMPqLD077591>