From ba44d48bec1ced7d7706d84da33a5976f1d8c3cb Mon Sep 17 00:00:00 2001
From: songbuhuang <544824346@qq.com>
Date: Wed, 30 Aug 2023 11:55:40 +0800
Subject: [PATCH] fix CVE-2022-48174

Signed-off-by: songbuhuang <544824346@qq.com>
---
 shell/math.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/shell/math.c b/shell/math.c
index 2942cdd..8835e90 100644
--- a/shell/math.c
+++ b/shell/math.c
@@ -593,7 +593,8 @@ evaluate_string(arith_state_t *math_state, const char *expr)
 	/* The proof that there can be no more than strlen(startbuf)/2+1
 	 * integers in any given correct or incorrect expression
 	 * is left as an exercise to the reader. */
-	var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
+	/* Counterexample: 09J results in three integers. */
+	var_or_num_t *const numstack = alloca((expr_len - 2) * sizeof(numstack[0]));
 	var_or_num_t *numstackptr = numstack;
 	/* Stack of operator tokens */
 	operator *const stack = alloca(expr_len * sizeof(stack[0]));
-- 
2.26.2