From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Sun, 25 Sep 2016 19:24:04 +0000 (+0200)
Subject: ash: in heredoc code, fix access past the end of allocated memory. Closes 9276
X-Git-Tag: 1_26_0~250
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=557482c1cbeacaeb24247738b09983a0736d407a;p=oweals%2Fbusybox.git

ash: in heredoc code, fix access past the end of allocated memory. Closes 9276

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
---

diff --git a/shell/ash.c b/shell/ash.c
index 578b3dc22..a113ff155 100644
--- a/shell/ash.c
+++ b/shell/ash.c
@@ -5112,8 +5112,26 @@ openredirect(union node *redir)
 	char *fname;
 	int f;
 
+	switch (redir->nfile.type) {
+/* Can't happen, our single caller does this itself */
+//	case NTOFD:
+//	case NFROMFD:
+//		return -1;
+	case NHERE:
+	case NXHERE:
+		return openhere(redir);
+	}
+
+	/* For N[X]HERE, reading redir->nfile.expfname would touch beyond
+	 * allocated space. Do it only when we know it is safe.
+	 */
 	fname = redir->nfile.expfname;
+
 	switch (redir->nfile.type) {
+	default:
+#if DEBUG
+		abort();
+#endif
 	case NFROM:
 		f = open(fname, O_RDONLY);
 		if (f < 0)
@@ -5146,20 +5164,6 @@ openredirect(union node *redir)
 		if (f < 0)
 			goto ecreate;
 		break;
-	default:
-#if DEBUG
-		abort();
-#endif
-		/* Fall through to eliminate warning. */
-/* Our single caller does this itself */
-//	case NTOFD:
-//	case NFROMFD:
-//		f = -1;
-//		break;
-	case NHERE:
-	case NXHERE:
-		f = openhere(redir);
-		break;
 	}
 
 	return f;