Fix buffer overflow in sh_lex()

McDutchie · McDutchie · commit 8d57369b0cb3 · 2022-08-19T18:53:45.000+01:00
This macro expansion in lex.c may assign -1 to n if EOF is reached: 1178: fcgetc(n); As a result, n may be -1 when this code is reached: 1190: if(sh_isoption(SH_BRACEEXPAND) && c==LBRACE && !assignment && state[n]!=S_BREAK 'state[n]' is a buffer overflow if n==-1. src/cmd/ksh93/sh/lex.c: sh_lex(): case S_BRACE: - Apart from the buffer overflow, if n<=0, none of the code following fcget(n) does anything until 'break' on line 1199 is reached. So, if fcget(n) yields <=0, just break. This allows some code simplification. Progresses: ksh93/ksh#518
diff --git a/src/cmd/ksh93/sh/lex.c b/src/cmd/ksh93/sh/lex.c
@@ -1175,14 +1175,12 @@ int sh_lex(Lex_t* lp)
 					goto do_reg;
 				}
 				isfirst = (lp->lexd.first&&fcseek(0)==lp->lexd.first+1);
-				fcgetc(n);
+				if(fcgetc(n)<=0)
+					break;
 				/* check for {} */
 				if(c==LBRACE && n==RBRACE)
 					break;
-				if(n>0)
-					fcseek(-LEN);
-				else if(lp->lex.reservok)
-					break;
+				fcseek(-LEN);
 				/* check for reserved word { or } */
 				if(lp->lex.reservok && state[n]==S_BREAK && isfirst)
 					break;
