\U expansion in single-byte locale

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

\U expansion in single-byte locale

From:	Grisha Levit
Subject:	\U expansion in single-byte locale
Date:	Fri, 26 May 2023 03:44:30 -0400

If expanding a \u (or \U) escape sequence fails, Bash replaces the
input escape sequence with a newly generated one:

$ LC_ALL=C printf %b \\U80
\u0080

Since this new sequence may by longer than the input, it can cause an
overflow in printf:

$ bash-asan -c 'LC_ALL=C printf %b \\U80'
ERROR: AddressSanitizer: heap-buffer-overflow ...
WRITE of size 1 at 0x0001062028f5 thread T0
    #0 0x1031bed94 in bexpand printf.def:1180
    #1 0x1031ad19c in printf_builtin printf.def:610

TBH I found this fallback behavior kind of surprising and was
expecting the escape sequence to expand to either a null string or to
itself (though some tools assume __STDC_ISO_10646__ behavior even
without checking and expand to what may (or may not) be the correct
codepoint).

[Prev in Thread]

Current Thread

[Next in Thread]

\U expansion in single-byte locale, Grisha Levit <=
- Re: \U expansion in single-byte locale, Chet Ramey, 2023/05/29

Prev by Date: Re: heap-buffer-overflow in history_expand
Next by Date: ctype.h functions on bytes 0x80..0xFF
Previous by thread: text similar to JSON can cause memory of bash to become abnormally large
Next by thread: Re: \U expansion in single-byte locale
Index(es):
- Date
- Thread