[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: heap-buffer-overflow in history_expand
|
From: |
Grisha Levit |
|
Subject: |
Re: heap-buffer-overflow in history_expand |
|
Date: |
Sun, 30 Apr 2023 05:03:43 -0400 |
On Sat, Apr 29, 2023, 14:02 Chet Ramey <chet.ramey@case.edu> wrote:
> On 4/28/23 9:28 PM, Grisha Levit wrote:
> > Piping input that simply ends in an leading byte doesn't trigger the
> issue
> > -- that byte byte don't seem to make it into the input line.
> >
> > This is a bit off topic, but I don't really understand what happens with
> > invalid input sequences in the input, see e.g.:
>
> They should be treated as individual bytes.
>
I think I see what's happening now. Readline accumulates the bytes until a
complete character is read. However, this buffer is not flushed when the
reading of a multibyte character is interrupted by inserting a single byte
character, or by any non-insertion command.
So for example, the \317 byte never gets a chance to be inserted here:
bash --norc -in <<<$':\317:'
$ ::
And inserting the byte is deferred until the next byte with the 8th bit set
is read (which can be at some arbitrary future time) here:
bash --norc -in <<<$':\317\n: \200'
$ :
$ : π
You can also reproduce interactively by binding the above input to a macro.
Attached is a patch that I think should address this.
0001-fix-invalid-mb-insert.patch
Description: Text Data