[BusyBox] [PATCH] cmdedit reads past end of completion strings
Elliot Schwartz
elliot at instant802.com
Wed Sep 29 02:15:09 UTC 2004
Glenn McGrath <bug1 at iinet.net.au> writes:
> On Tue, 28 Sep 2004 14:20:37 -0700
> Elliot Schwartz <elliot at instant802.com> wrote:
>
> > While running under valgrind I noticed that shell/cmdedit.c reads past
> > the end of completion strings. It looks like the code probably meant
> > to bail out once it found the first unique letter in a completion.
>
> hmm, i dont see how you patch changes it.
>
> Line 4 sets the terminating condition for the outer loop.
> Line 5 exits the inner loop.
> So the current code should break out of all the loops when the condition
> at line 3 is met.
>
> 1 for (tmp1 = tmp; *tmp1; tmp1++) {
> 2 for (len_found = 1; len_found < num_matches; len_found++) {
> 3 if (matches[len_found][(tmp1 - tmp)] != *tmp1) {
> 4 *tmp1 = 0;
> 5 break;
> }
> }
> }
Actually, if I understand this correctly, the purpose of Line 4 is to
put a '\0' into the string, to mark the point at which the common prefix to
all possible completions ends.
Line 4 doesn't set the terminating condition for the outer loop, since
tmp1 is incremented before the condition is tested, and points to the
character _after_ the one that was set to '\0'.
elliot
More information about the busybox
mailing list