ash: in heredoc code, fix access past the end of allocated memory. Closes 9276

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

diff --git a/shell/ash.c b/shell/ash.c
index 578b3dc22376905382e59fc9add3e0d03415acfe..a113ff1558dd7ea1456a72021c34ade97efb5876 100644 (file)
--- a/shell/ash.c
+++ b/shell/ash.c
@@ -5112,8 +5112,26 @@ openredirect(union node *redir)
        char *fname;
        int f;
 
+       switch (redir->nfile.type) {
+/* Can't happen, our single caller does this itself */
+//     case NTOFD:
+//     case NFROMFD:
+//             return -1;
+       case NHERE:
+       case NXHERE:
+               return openhere(redir);
+       }
+
+       /* For N[X]HERE, reading redir->nfile.expfname would touch beyond
+        * allocated space. Do it only when we know it is safe.
+        */
        fname = redir->nfile.expfname;
+
        switch (redir->nfile.type) {
+       default:
+#if DEBUG
+               abort();
+#endif
        case NFROM:
                f = open(fname, O_RDONLY);
                if (f < 0)
@@ -5146,20 +5164,6 @@ openredirect(union node *redir)
                if (f < 0)
                        goto ecreate;
                break;
-       default:
-#if DEBUG
-               abort();
-#endif
-               /* Fall through to eliminate warning. */
-/* Our single caller does this itself */
-//     case NTOFD:
-//     case NFROMFD:
-//             f = -1;
-//             break;
-       case NHERE:
-       case NXHERE:
-               f = openhere(redir);
-               break;
        }
 
        return f;