diff options
author | Herbert Xu <herbert@gondor.apana.org.au> | 2023-01-03 13:32:41 +0800 |
---|---|---|
committer | Herbert Xu <herbert@gondor.apana.org.au> | 2023-01-08 20:03:08 +0800 |
commit | 91a375576d37bb4db1eca48e6bf5bac0db6cc3fa (patch) | |
tree | b4c6495e8670a036c59ee06d2ac0946467437afe | |
parent | c3b97c70d8ffec83122caf2bfd0489380610217c (diff) | |
download | dash-91a375576d37bb4db1eca48e6bf5bac0db6cc3fa.tar.gz |
input: Eat rest of line upon reset
Interactively, sh_error() doesn't terminate, so
echo "|$(printf %10000s)echo bug" | sh -i
would read the first 8KiB, see that it's invalid, then jump back to the
parser, which would then read and execute the rest of the line as-if
it were the next line.
The fix for this is to explicitly consume the rest of the invalid line,
so that the next line observed is /actually/ the next line.
This is difficult to trigger accidentally right now, since we consume
the entire icanon line buffer at once (provided it's <8k, which it
~always is interactively), so we always observe one line at a time,
but the next patch would make even "| echo bug" blow up.
Reported-by: наб <nabijaczleweli@nabijaczleweli.xyz>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
-rw-r--r-- | src/input.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/src/input.c b/src/input.c index ec075f5..cff15b5 100644 --- a/src/input.c +++ b/src/input.c @@ -77,6 +77,7 @@ INCLUDE <stdio.h> INCLUDE <unistd.h> INCLUDE "input.h" INCLUDE "error.h" +INCLUDE "syntax.h" INIT { basepf.nextc = basepf.buf = basebuf; @@ -85,9 +86,11 @@ INIT { RESET { /* clear input buffer */ - basepf.lleft = basepf.nleft = 0; - basepf.unget = 0; popallfiles(); + basepf.unget = 0; + while (basepf.lastc[0] != '\n' && + basepf.lastc[0] != PEOF) + pgetc(); } FORKRESET { |