Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix out-of-bounds write on Ctrl+C with -H on (#700)
On OpenBSD 7.4, ksh crashes when SIGINT is sent with Ctrl+C in the absence of a foreground job, provided that: * The histexpand option is set * ksh was built without AST_vmalloc This happens because slowread in io.c attempts to append \0 to the buffer before calling hist_expand. In the case of SIGINT, the size of the buffer (rsize) registers as -1 from ed_emacsread or ed_viread, resulting in an out-of-bounds write. Because of the strict malloc of OpenBSD, the shell crashes. The fix is straightforward: in slowread, check for positive (rather than non-zero) buffer size before proceeding with history expansion-related operations. Although this crash would have first appeared in default builds when vmalloc was deprecated in December 2021 (f9364b1), the bad write itself has been present since history expansion was introduced in June 2003 (ksh93o+). src/cmd/ksh93/sh/io.c: slowread(): - Check for positive buffer size before preparing to attempt history expansion.
- Loading branch information