now tested - (was Re: backquote expansion bug in /bin/sh ( fix included ))

[Andrew Atrens <atrens@xxxxxxxxxxxxxxxxxx>]

Andrew Atrens wrote:

> On February 4, 2004 06:55 pm, Simon 'corecode' Schubert wrote:
>> On 04.02.2004, at 21:42, Andrew Atrens wrote:
>> > Here's a patch to sh, which fixes this -
>> >
>> >
>> > "/usr/bin/cvs" -z3 -Q diff -N -b -B -kk  -r 1.3 -r 1.3.2.1 "expand.c"
>> > Index: expand.c
>> > ===================================================================
>> > RCS file: /usr/dfly/repo/src/bin/sh/expand.c,v
>> > retrieving revision 1.3
>> > retrieving revision 1.3.2.1
>> > diff -b -B -r1.3 -r1.3.2.1
>> > 472c472
>> > <       for (p--; lastc == '\n'; lastc = *--p)
>> > ---
>> >
>> >>       for ( ; *(dest-1) == '\n' ; )
>>
>> It lacks some bounds checking. Under sucky circumstances both old and
>> new version will eat back up the stack...
>>
> 
> Right. In the degenerate case where the bytes immediately preceeding
> expdest in the heap (or data seg. iff you're in the root element of the
> command stack) are == '\n' you'll walk back further than you thought.
> Though this is highly unlikely, it's best to be safe :) :) ...
> 
> I used this -
> 
>         for ( ; (dest - stackblock()) > startloc && *(dest-1) == '\n' ; )
> 

Okay, I've successfully done a make -j10 buildworld with this change. Looks
solid. The old behaviour is definitely broken, so it would be cool to get
this committed :) :) :)

Cheers,

Andrew.