[Bug 233343] the sh(1) bind(1) builtin segfaults when stdout is redirected in 12RC1
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon Nov 26 23:31:26 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233343
Jilles Tjoelker <jilles at FreeBSD.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|New |Open
--- Comment #3 from Jilles Tjoelker <jilles at FreeBSD.org> ---
I notice a bug in libedit. The function map_bind() in lib/libedit/map.c assumes
that the argv array ends with a NULL string pointer, but the documentation for
el_parse() does not say this is required and the implementation of
ct_decode_argv() does not make it such. As a result, memory out of bounds of
the allocation is accessed.
Since applications calling el_wparse() cannot be assumed to add the NULL
sentinel, functions like map_bind() should be adjusted (there may be more
places making this incorrect assumption).
By the way, I don't think the approach of converting strings into wchar_t
strings (that is, UTF-32, most of the time) should be repeated in new code.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list