Mercurial > hg > toybox
changeset 1613:96aa7ec74936 draft
Fix yet another sed bug.
The s/// command would copy the \ of substitutions before deciding what to
do with them (generally overwriting the \ with the new data). When the
substitution was A) at the very end of the new string, B) resolved to nothing,
it could leave a trailing \ that didn't belong there and didn't get overwritten
because the "copy trailing data" part that copies the original string's null
terminator already happened before the \ overwrote it.
The ghostwheel() function restarts regexes after embedded NUL bytes, but
if the string it's passed is _longer_ than the length it's told then it
gets confused (and it means we're off the end of our allocation so segfaults
are likely).
Fix: test for \ first and move the "copy byte" logic into an else case.
| author | Rob Landley <rob@landley.net> |
|---|---|
| date | Mon, 15 Dec 2014 03:34:55 -0600 |
| parents | eec3b88f2d58 |
| children | 21867cda5e41 |
| files | toys/pending/sed.c |
| diffstat | 1 files changed, 8 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/toys/pending/sed.c Sun Dec 14 13:51:28 2014 -0600 +++ b/toys/pending/sed.c Mon Dec 15 03:34:55 2014 -0600 @@ -512,25 +512,28 @@ for (off = mlen = 0; new[off]; off++) { int cc = 0, ll; - if ((rswap[mlen++] = new[off]) == '\\') { + if (new[off] == '\\') { cc = new[++off] - '0'; if (cc<0 || cc>9) { - if (!(rswap[mlen-1] = unescape(new[off]))) + if (!(rswap[mlen++] = unescape(new[off]))) rswap[mlen-1] = new[off]; continue; } else if (match[cc].rm_so == -1) error_exit("no s//\\%d/", cc); - } else if (new[off] != '&') continue; + } else if (new[off] != '&') { + rswap[mlen++] = new[off]; + + continue; + } ll = match[cc].rm_eo-match[cc].rm_so; - memcpy(rswap+(--mlen), rline+match[cc].rm_so, ll); + memcpy(rswap+mlen, rline+match[cc].rm_so, ll); mlen += ll; } rline = rswap+newlen; free(line); line = swap; - len = rlen+(rline-line); // Stop after first substitution unless we have flag g if (!(logrus->sflags & 2)) break;