| https://git.busybox.net/busybox/commit/?id=ca96022d6edaaf619324db5a481698231d74d1df |
| |
| From ca96022d6edaaf619324db5a481698231d74d1df Mon Sep 17 00:00:00 2001 |
| From: =?UTF-8?q?S=C3=B6ren=20Tempel?= <soeren+git@soeren-tempel.net> |
| Date: Tue, 8 Feb 2022 20:29:30 +0100 |
| Subject: ed: don't use memcpy with overlapping memory regions |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| The memcpy invocations in the subCommand function, modified by this |
| commit, previously used memcpy with overlapping memory regions. This is |
| undefined behavior. On Alpine Linux, it causes BusyBox ed to crash since |
| we compile BusyBox with -D_FORTIFY_SOURCE=2 and our fortify-headers |
| implementation catches this source of undefined behavior [0]. The issue |
| can only be triggered if the replacement string is the same size or |
| shorter than the old string. |
| |
| Looking at the code, it seems to me that a memmove(3) is what was |
| actually intended here, this commit modifies the code accordingly. |
| |
| [0]: https://gitlab.alpinelinux.org/alpine/aports/-/issues/13504 |
| |
| Signed-off-by: Sören Tempel <soeren+git@soeren-tempel.net> |
| Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> |
| --- a/editors/ed.c |
| +++ b/editors/ed.c |
| @@ -720,7 +720,7 @@ static void subCommand(const char *cmd, int num1, int num2) |
| if (deltaLen <= 0) { |
| memcpy(&lp->data[offset], newStr, newLen); |
| if (deltaLen) { |
| - memcpy(&lp->data[offset + newLen], |
| + memmove(&lp->data[offset + newLen], |
| &lp->data[offset + oldLen], |
| lp->len - offset - oldLen); |
| |
| -- |
| cgit v1.2.3 |