busybox/shell
Denys Vlasenko d5f5045b43 ash: expand: Fix buffer overflow in expandmeta
Upstream commit:

    Date: Sun, 25 Mar 2018 16:38:00 +0800
    expand: Fix buffer overflow in expandmeta

    The native version of expandmeta allocates a buffer that may be
    overrun for two reasons.  First of all the size is 1 byte too small
    but this is normally hidden because the minimum size is rounded
    up to 2048 bytes.  Secondly, if the directory level is deep enough,
    any buffer can be overrun.

    This patch fixes both problems by calling realloc when necessary.

    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

function                                             old     new   delta
expmeta                                              517     635    +118
expandarg                                            990     996      +6
mklocal                                              288     290      +2
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 3/0 up/down: 126/0)             Total: 126 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-04-14 14:50:47 +02:00
..
ash_test shell: add 6856 $IFS tests to testsuites 2018-04-11 20:24:58 +02:00
hush_test shell: add 6856 $IFS tests to testsuites 2018-04-11 20:24:58 +02:00
ash_doc.txt
ash_ptr_hack.c
ash.c ash: expand: Fix buffer overflow in expandmeta 2018-04-14 14:50:47 +02:00
brace.txt
Config.src config: deindent all help texts 2017-07-21 09:50:55 +02:00
cttyhack.c regularize format of source file headers, no code changes 2017-09-18 16:28:43 +02:00
hush_doc.txt
hush_leaktool.sh
hush.c hush: fix recent breakage from parse_stream() changes 2018-04-11 20:00:43 +02:00
Kbuild.src Make it possible to select "sh" and "bash" aliases without selecting ash or hush 2016-12-23 16:56:43 +01:00
match.c hush: fix a='a\\'; echo "${a%\\\\}" 2018-03-02 20:48:36 +01:00
match.h
math.c shell: handle $((NUM++...) like bash does. Closes 10706 2018-01-28 20:13:33 +01:00
math.h Make it possible to select "sh" and "bash" aliases without selecting ash or hush 2016-12-23 16:56:43 +01:00
random.c
random.h
README
README.job
shell_common.c hush: fix IFS handling in read 2018-04-11 17:18:34 +02:00
shell_common.h shell: more efficient check for EOL in read 2017-08-09 14:04:07 +02:00

http://www.opengroup.org/onlinepubs/9699919799/
Open Group Base Specifications Issue 7


http://www.opengroup.org/onlinepubs/9699919799/utilities/V3_chap01.html
Shell & Utilities

It says that any of the standard utilities may be implemented
as a regular shell built-in. It gives a list of utilities which
are usually implemented that way (and some of them can only
be implemented as built-ins, like "alias"):

alias
bg
cd
command
false
fc
fg
getopts
jobs
kill
newgrp
pwd
read
true
umask
unalias
wait


http://www.opengroup.org/onlinepubs/9699919799/utilities/V3_chap02.html
Shell Command Language

It says that shell must implement special built-ins. Special built-ins
differ from regular ones by the fact that variable assignments
done on special builtin are *PRESERVED*. That is,

VAR=VAL special_builtin; echo $VAR

should print VAL.

(Another distinction is that an error in special built-in should
abort the shell, but this is not such a critical difference,
and moreover, at least bash's "set" does not follow this rule,
which is even codified in autoconf configure logic now...)

List of special builtins:

. file
: [argument...]
break [n]
continue [n]
eval [argument...]
exec [command [argument...]]
exit [n]
export name[=word]...
export -p
readonly name[=word]...
readonly -p
return [n]
set [-abCefhmnuvx] [-o option] [argument...]
set [+abCefhmnuvx] [+o option] [argument...]
set -- [argument...]
set -o
set +o
shift [n]
times
trap n [condition...]
trap [action condition...]
unset [-fv] name...

In practice, no one uses this obscure feature - none of these builtins
gives any special reasons to play such dirty tricks.

However. This section also says that *function invocation* should act
similar to special built-in. That is, variable assignments
done on function invocation should be preserved after function invocation.

This is significant: it is not unthinkable to want to run a function
with some variables set to special values. But because of the above,
it does not work: variable will "leak" out of the function.