From 6c0c240366b96f65a769c1cb036e91e1ad47e327 Mon Sep 17 00:00:00 2001 From: Jilles Tjoelker Date: Sun, 25 Jul 2010 22:25:52 +0000 Subject: [PATCH] sh: Fix crash due to uninitialized here-document. If an ; or & token was followed by an EOF token, pending here-documents were left uninitialized. Execution would crash, either in the main shell process for literal here-documents or in a child process for expanded here-documents. In the latter case the problem is hard to detect apart from the core dumps and log messages. Side effect: slightly different retries on inputs where EOF is not persistent. Note that tools/regression/bin/sh/parser/heredoc6.0 still causes a similar crash in a child process. The text passed to eval is malformed and should be rejected. --- bin/sh/parser.c | 3 +++ tools/regression/bin/sh/parser/heredoc7.0 | 19 +++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100644 tools/regression/bin/sh/parser/heredoc7.0 diff --git a/bin/sh/parser.c b/bin/sh/parser.c index 9c89d9fc552e..69d3e6f2d9f1 100644 --- a/bin/sh/parser.c +++ b/bin/sh/parser.c @@ -269,6 +269,9 @@ list(int nlflag) parseheredoc(); if (nlflag) return n1; + } else if (tok == TEOF && nlflag) { + parseheredoc(); + return n1; } else { tokpushback++; } diff --git a/tools/regression/bin/sh/parser/heredoc7.0 b/tools/regression/bin/sh/parser/heredoc7.0 new file mode 100644 index 000000000000..a15010648780 --- /dev/null +++ b/tools/regression/bin/sh/parser/heredoc7.0 @@ -0,0 +1,19 @@ +# $FreeBSD$ + +# Some of these created malformed parse trees with null pointers for here +# documents, causing the here document writing process to segfault. +eval ': <