Navigation

← Previous Changeset
Next Changeset →

Changeset 230

Timestamp:

05/19/05 21:49:19 (4 years ago)

Author:

athomas

Message:

Fixed some array bounds checking bugs reported by Pierre Gentile.
Fixed some argument expansion issues.

Files:

op/trunk/main.c (modified) (9 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

op/trunk/main.c

r228	r230
866	866	strcpy(new_envp[curenv], "XAUTHORITY=");
867	867	strcat(new_envp[curenv], xauth);
	868	if (curenv + 1 >= MAXENV)
	869	fatal(1, "Environment length exceeded");
868	870	++curenv;
869	871	/* Propagate $DISPLAY to new environment */
…	…
871	873	strcpy(new_envp[curenv], "DISPLAY=");
872	874	strcat(new_envp[curenv], getenv("DISPLAY"));
	875	if (curenv + 1 >= MAXENV)
	876	fatal(1, "Environment length exceeded");
873	877	++curenv;
874	878	}
…	…
956	960	continue;
957	961	if (strchr(cmd->opts[i], '=') != NULL) {
	962	if (curenv + 1 >= MAXENV)
	963	fatal(1, "Environment length exceeded");
958	964	new_envp[curenv++] = cmd->opts[i] + 1;
959	965	continue;
…	…
964	970	if (strncmp(cmd->opts[i] + 1, environ[j],
965	971	cp - environ[j]) == 0) {
	972	if (curenv + 1 >= MAXENV)
	973	fatal(1, "Environment length exceeded");
966	974	new_envp[curenv++] = environ[j];
967	975	break;
…	…
970	978	}
971	979	} else {
972		for (i = 0; environ[i] != NULL; i++)
	980	for (i = 0; environ[i] != NULL; i++) {
	981	if (curenv + 1 >= MAXENV)
	982	fatal(1, "Environment length exceeded");
973	983	new_envp[curenv++] = environ[i];
	984	}
974	985	}
975	986	new_envp[curenv] = NULL;
…	…
980	991	break;
981	992
982		if (environ[i] != NULL)
	993	if (environ[i] != NULL) {
	994	if (curarg >= MAXARG - 1)
	995	fatal(1, "Argument length exceeded");
983	996	new_argv[curarg++] = environ[i] + 6;
984		else {
	997	} else {
985	998	fatal(1, "No shell");
986	999	}
987	1000
988	1001	if (argc != 1) {
	1002	if (curarg >= MAXARG - 1)
	1003	fatal(1, "Argument length exceeded");
989	1004	new_argv[curarg++] = "-c";
990	1005
…	…
1002	1017	strcat(cp, " ");
1003	1018	}
	1019	if (curarg >= MAXARG - 1)
	1020	fatal(1, "Argument length exceeded");
1004	1021	new_argv[curarg++] = cp;
1005	1022	}
…	…
1008	1025	np = cmd->args[i];
1009	1026
1010		/* Embedded match */
1011		while ((cp = strchr(np, '$')) != NULL) {
1012		if ((cp != cmd->args[i]) && (*(cp-1) == '\\'))
1013		np = cp + 1;
1014		else {
1015		char *tmp;
1016
1017		np = cp + 1;
1018		++cp;
1019
1020		if (cp == '') {
1021		int len = 1;
1022		char *buffer;
1023
	1027	/* Complete argument is a variable expansion. */
	1028	if (strlen(np) == 2 && np[0] == '$') {
	1029	if (np[1] == '*') {
	1030	if (curarg + argc >= MAXARG - 1)
	1031	fatal(1, "Argument length exceeded");
	1032	for (j = 1; j < argc; j++)
	1033	new_argv[curarg++] = argv[j];
	1034	} else
	1035	if (isdigit(np[1])) {
	1036	if (atoi(np + 1) > argc)
	1037	fatal(1, "Referenced argument out of range");
	1038	if (curarg >= MAXARG - 1)
	1039	fatal(1, "Argument length exceeded");
	1040	new_argv[curarg++] = argv[atoi(np + 1)];
	1041	}
	1042	continue;
	1043	} else {
	1044	/* Embedded match */
	1045	while ((cp = strchr(np, '$')) != NULL) {
	1046	if ((cp != cmd->args[i]) && (*(cp-1) == '\\'))
	1047	np = cp + 1;
	1048	else {
	1049	char *tmp;
	1050
	1051	np = cp + 1;
1024	1052	++cp;
1025		/* Find total length of all arguments */
1026		for (j = 1; j < argc; j++)
1027		len += strlen(argv[j]) + 1;
1028
1029		if ((buffer = malloc(len)) == NULL)
1030		fatal(1, "Can't allocate buffer");
1031
1032		buffer[0] = 0;
1033
1034		/* Expand all arguments */
1035		for (j = 1; j < argc; j++) {
1036		strcat(buffer, argv[j]);
1037		if (j < argc - 1) strcat(buffer, " ");
1038		}
1039		tmp = str_replace(cmd->args[i],
1040		np - cmd->args[i] - 1, cp - np + 1, buffer);
1041		cp = tmp + (cp - cmd->args[i]);
1042		np = cp;
1043		cmd->args[i] = tmp;
1044		} else {
1045		while (isdigit(*cp)) ++cp;
1046
1047		if (cp != np) {
1048		val = atoi(np);
1049
	1053
	1054	if (cp == '') {
	1055	int len = 1;
	1056	char *buffer;
	1057
	1058	++cp;
	1059	/* Find total length of all arguments */
	1060	for (j = 1; j < argc; j++)
	1061	len += strlen(argv[j]) + 1;
	1062
	1063	if ((buffer = malloc(len)) == NULL)
	1064	fatal(1, "Can't allocate buffer");
	1065
	1066	buffer[0] = 0;
	1067
	1068	/* Expand all arguments */
	1069	for (j = 1; j < argc; j++) {
	1070	strcat(buffer, argv[j]);
	1071	if (j < argc - 1) strcat(buffer, " ");
	1072	}
1050	1073	tmp = str_replace(cmd->args[i],
1051		np - cmd->args[i] - 1, cp - np + 1, ~~argv[val]~~);
1052		cp = tmp + (cp - cmd->args[i]) ~~+ 1~~;
	1074	np - cmd->args[i] - 1, cp - np + 1, buffer);
	1075	cp = tmp + (cp - cmd->args[i]);
1053	1076	np = cp;
1054	1077	cmd->args[i] = tmp;
	1078	} else {
	1079	while (isdigit(*cp)) ++cp;
	1080
	1081	if (cp != np) {
	1082	val = atoi(np);
	1083
	1084	tmp = str_replace(cmd->args[i],
	1085	np - cmd->args[i] - 1, cp - np + 1, argv[val]);
	1086	cp = tmp + (cp - cmd->args[i]) + 1;
	1087	np = cp;
	1088	cmd->args[i] = tmp;
	1089	}
1055	1090	}
1056	1091	}
…	…
1059	1094
1060	1095	if (cp == NULL) {
	1096	if (curarg >= MAXARG - 1)
	1097	fatal(1, "Argument length exceeded");
1061	1098	new_argv[curarg++] = cmd->args[i];
1062	1099	continue;

Navigation

Changeset 230

Legend:

op/trunk/main.c

Download in other formats: