[PATCH] input: Fix heap-buffer-overflow in preadbuffer on long lines

public inbox for dash@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] input: Fix heap-buffer-overflow in preadbuffer on long lines
@ 2026-02-12  7:29 Tiago de Paula
  2026-03-14  9:23 ` Herbert Xu
  0 siblings, 1 reply; 2+ messages in thread
From: Tiago de Paula @ 2026-02-12  7:29 UTC (permalink / raw)
  To: dash; +Cc: Herbert Xu, Tiago de Paula

Update lleft before calling preadfd so buffered data is preserved
when refilling the buffer during long line scanning, preventing
out-of-bounds reads.

Fixes: a065467315dc ("input: Move newline loop into preadbuffer")
Signed-off-by: Tiago de Paula <tiagodepalves@gmail.com>
---
I discovered this via perlbrew: config.sh contained a single
'cppsymbols=...' line that was 12502 characters long. The issue
can be replicated with:

    python -c 'print("VAR=" + "a"*8300)' > repro.sh
    dash repro.sh

AddressSanitizer reports a heap-buffer-overflow in preadbuffer(),
which led to me this fix.

 src/input.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/input.c b/src/input.c
index c36d120..3467bd1 100644
--- a/src/input.c
+++ b/src/input.c
@@ -386,6 +386,7 @@ eof:

 again:
 		nr = q - parsefile->nextc;
+		input_set_lleft(parsefile, nr);
 		more = preadfd();
 		q = parsefile->nextc + nr;
 		if (more <= 0) {
-- 
2.53.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] input: Fix heap-buffer-overflow in preadbuffer on long lines
  2026-02-12  7:29 [PATCH] input: Fix heap-buffer-overflow in preadbuffer on long lines Tiago de Paula
@ 2026-03-14  9:23 ` Herbert Xu
  0 siblings, 0 replies; 2+ messages in thread
From: Herbert Xu @ 2026-03-14  9:23 UTC (permalink / raw)
  To: Tiago de Paula; +Cc: dash, tiagodepalves

Tiago de Paula <tiagodepalves@gmail.com> wrote:
> Update lleft before calling preadfd so buffered data is preserved
> when refilling the buffer during long line scanning, preventing
> out-of-bounds reads.
> 
> Fixes: a065467315dc ("input: Move newline loop into preadbuffer")
> Signed-off-by: Tiago de Paula <tiagodepalves@gmail.com>
> ---
> I discovered this via perlbrew: config.sh contained a single
> 'cppsymbols=...' line that was 12502 characters long. The issue
> can be replicated with:
> 
>    python -c 'print("VAR=" + "a"*8300)' > repro.sh
>    dash repro.sh
> 
> AddressSanitizer reports a heap-buffer-overflow in preadbuffer(),
> which led to me this fix.
> 
> src/input.c | 1 +
> 1 file changed, 1 insertion(+)

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-03-14  9:23 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-12  7:29 [PATCH] input: Fix heap-buffer-overflow in preadbuffer on long lines Tiago de Paula
2026-03-14  9:23 ` Herbert Xu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox