diff options
| author | Denys Vlasenko | 2016-09-17 20:53:47 +0200 |
|---|---|---|
| committer | Denys Vlasenko | 2016-09-17 20:53:47 +0200 |
| commit | 7bc3d39695728c6257a95bc2d75e80d3e2431c8b (patch) | |
| tree | 4e05b6f94f7f0ab428ed63515d1e888b35e69426 | |
| parent | d2c5de0130d46e3314908cddb5f831a84a9f9e27 (diff) | |
| download | busybox-7bc3d39695728c6257a95bc2d75e80d3e2431c8b.zip busybox-7bc3d39695728c6257a95bc2d75e80d3e2431c8b.tar.gz | |
ash: add a FIXME for bug 9246
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
| -rw-r--r-- | shell/ash.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/shell/ash.c b/shell/ash.c index 789a81c..790367b 100644 --- a/shell/ash.c +++ b/shell/ash.c @@ -11659,9 +11659,18 @@ parsebackq: { str = NULL; savelen = out - (char *)stackblock(); if (savelen > 0) { + /* + * FIXME: this can allocate very large block on stack and SEGV. + * Example: + * echo "..<100kbytes>..`true` $(true) `true` ..." + * alocates 100kb for every command subst. With about + * a hundred command substitutions stack overflows. + * With larger prepended string, SEGV happens sooner. + */ str = alloca(savelen); memcpy(str, stackblock(), savelen); } + if (oldstyle) { /* We must read until the closing backquote, giving special * treatment to some slashes, and then push the string and |