packages/busybox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
busybox/backport-CVE-2022-48174.patch
songbuhuang 16dca17fd3 fix CVE-2022-48174 
Signed-off-by: songbuhuang <544824346@qq.com>
2023-08-29 12:51:34 +08:00

31 lines
1.1 KiB
Diff
Raw Blame History

From c0b333aa189c65293b680b942086ace3f3bfc8c1 Mon Sep 17 00:00:00 2001
From: huangsong <huangsong14@huawei.com>
Date: Mon, 28 Aug 2023 16:27:43 +0800
Subject: [PATCH] fix CVE-2022-48174
backport from upstream:
https://bugs.busybox.net/show_bug.cgi?id=15216
Signed-off-by: huangsong <huangsong14@huawei.com>
---
shell/math.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/shell/math.c b/shell/math.c
index 76d22c9..83ef85c 100644
--- a/shell/math.c
+++ b/shell/math.c
@@ -588,7 +588,8 @@ evaluate_string(arith_state_t *math_state, const char *expr)
/* The proof that there can be no more than strlen(startbuf)/2+1
* integers in any given correct or incorrect expression
* is left as an exercise to the reader. */
- var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
+ /* Counterexample: 09J results in three integers. */
+ var_or_num_t *const numstack = alloca((expr_len - 2) * sizeof(numstack[0]));
var_or_num_t *numstackptr = numstack;
/* Stack of operator tokens */
operator *const stack = alloca(expr_len * sizeof(stack[0]));
--
2.26.2
Reference in New Issue View Git Blame Copy Permalink