View Issue Details

IDProjectCategoryView StatusLast Update
0000537tcshGeneralpublic2024-06-25 08:46
Reporterrtm Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Platformamd64OSFreeBSDOS Version14.1
Product Version6.22.03 
Summary0000537: M-/ can cause c_endword() to read before start of buffer
DescriptionIf the previous input was just ' by itself, then M-/ can
cause this line in c_endword():

            if (inquote || p[-1] != (Char)'\\') { /* Should it be honored? */

to access memory before the start of the heap block to which p points.

tcsh 6.22.04 (Astron) 2021-04-26 (x86_64-amd-FreeBSD) options wide,nls,dl,al,kan,sm,rh,color,filec

To reproduce, run tcsh under valgrind and type

' <return> / <esc> /

   Invalid read of size 4
     at 0x162869: c_endword (tcsh/ed.chared.c:804)
     by 0x162703: c_preword (tcsh/ed.chared.c:269)
     by 0x16237C: e_dabbrev_expand (tcsh/ed.chared.c:2195)
     by 0x16D275: Inputl (tcsh/ed.inputl.c:186)
     by 0x1423A6: bgetc (tcsh/sh.lex.c:1679)
     by 0x140B8E: readc (tcsh/sh.lex.c:1440)
     by 0x140442: lex (tcsh/sh.lex.c:160)
     by 0x1238D0: process (tcsh/sh.c:2071)
     by 0x122AA0: main (tcsh/sh.c:1430)
   Address 0x56d27cc is 4 bytes before a block of size 32 alloc'd
     at 0x4851951: realloc (vg_replace_malloc.c:1694)
     by 0x179005: srealloc (tcsh/tc.alloc.c:551)
     by 0x184ABE: Strbuf_finish (tcsh/tc.str.c:710)
     by 0x17A98A: expand_lex (tcsh/tc.func.c:141)
     by 0x162403: e_dabbrev_expand (tcsh/ed.chared.c:2201)
     by 0x16D275: Inputl (tcsh/ed.inputl.c:186)
     by 0x1423A6: bgetc (tcsh/sh.lex.c:1679)
     by 0x140B8E: readc (tcsh/sh.lex.c:1440)
     by 0x140442: lex (tcsh/sh.lex.c:160)
     by 0x1238D0: process (tcsh/sh.c:2071)
     by 0x122AA0: main (tcsh/sh.c:1430)
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2024-06-25 08:46 rtm New Issue