View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000537 | tcsh | General | public | 2024-06-25 08:46 | 2024-06-25 08:46 |
Reporter | rtm | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | always |
Status | new | Resolution | open | ||
Platform | amd64 | OS | FreeBSD | OS Version | 14.1 |
Product Version | 6.22.03 | ||||
Summary | 0000537: M-/ can cause c_endword() to read before start of buffer | ||||
Description | If the previous input was just ' by itself, then M-/ can cause this line in c_endword(): if (inquote || p[-1] != (Char)'\\') { /* Should it be honored? */ to access memory before the start of the heap block to which p points. tcsh 6.22.04 (Astron) 2021-04-26 (x86_64-amd-FreeBSD) options wide,nls,dl,al,kan,sm,rh,color,filec To reproduce, run tcsh under valgrind and type ' <return> / <esc> / Invalid read of size 4 at 0x162869: c_endword (tcsh/ed.chared.c:804) by 0x162703: c_preword (tcsh/ed.chared.c:269) by 0x16237C: e_dabbrev_expand (tcsh/ed.chared.c:2195) by 0x16D275: Inputl (tcsh/ed.inputl.c:186) by 0x1423A6: bgetc (tcsh/sh.lex.c:1679) by 0x140B8E: readc (tcsh/sh.lex.c:1440) by 0x140442: lex (tcsh/sh.lex.c:160) by 0x1238D0: process (tcsh/sh.c:2071) by 0x122AA0: main (tcsh/sh.c:1430) Address 0x56d27cc is 4 bytes before a block of size 32 alloc'd at 0x4851951: realloc (vg_replace_malloc.c:1694) by 0x179005: srealloc (tcsh/tc.alloc.c:551) by 0x184ABE: Strbuf_finish (tcsh/tc.str.c:710) by 0x17A98A: expand_lex (tcsh/tc.func.c:141) by 0x162403: e_dabbrev_expand (tcsh/ed.chared.c:2201) by 0x16D275: Inputl (tcsh/ed.inputl.c:186) by 0x1423A6: bgetc (tcsh/sh.lex.c:1679) by 0x140B8E: readc (tcsh/sh.lex.c:1440) by 0x140442: lex (tcsh/sh.lex.c:160) by 0x1238D0: process (tcsh/sh.c:2071) by 0x122AA0: main (tcsh/sh.c:1430) | ||||
Tags | No tags attached. | ||||
Date Modified | Username | Field | Change |
---|---|---|---|
2024-06-25 08:46 | rtm | New Issue |