[PATCH] use-after-free in expand_string_dollar

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH] use-after-free in expand_string_dollar_quote

From:	Grisha Levit
Subject:	[PATCH] use-after-free in expand_string_dollar_quote
Date:	Thu, 1 Jun 2023 12:42:12 -0400

A use-after-free happens in expand_string_dollar_quote if
noexpand_translation is enabled and a string's translation is the same
length as the string itself.
---
diff --git a/subst.c b/subst.c
index 08d9285e..a7a386d4 100644
--- a/subst.c
+++ b/subst.c
@@ -4231,12 +4231,17 @@ expand_string_dollar_quote (const char
*string, int flags)
                  continue;
                }
              trans = locale_expand (t, 0, news-sindex, 0, &translen);
-             free (t);
              if (singlequote_translations &&
                    ((news-sindex-1) != translen || STREQN (t, trans,
translen) == 0))
-               t = sh_single_quote (trans);
+               {
+                 free (t);
+                 t = sh_single_quote (trans);
+               }
              else
-               t = sh_mkdoublequoted (trans, translen, 0);
+               {
+                 free (t);
+                 t = sh_mkdoublequoted (trans, translen, 0);
+               }
              sindex = news;
            }
 #endif /* TRANSLATABLE_STRINGS */

[Prev in Thread]

Current Thread

[Next in Thread]

[PATCH] use-after-free in expand_string_dollar_quote, Grisha Levit <=
- Re: [PATCH] use-after-free in expand_string_dollar_quote, Chet Ramey, 2023/06/03

Next by Date: set -e not working as expected with conditional operators
Next by thread: Re: [PATCH] use-after-free in expand_string_dollar_quote
Index(es):
- Date
- Thread