28 lines
1.0 KiB
Diff
28 lines
1.0 KiB
Diff
From ba44d48bec1ced7d7706d84da33a5976f1d8c3cb Mon Sep 17 00:00:00 2001
|
|
From: songbuhuang <544824346@qq.com>
|
|
Date: Wed, 30 Aug 2023 11:55:40 +0800
|
|
Subject: [PATCH] fix CVE-2022-48174
|
|
|
|
Signed-off-by: songbuhuang <544824346@qq.com>
|
|
---
|
|
shell/math.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/shell/math.c b/shell/math.c
|
|
index 2942cdd..8835e90 100644
|
|
--- a/shell/math.c
|
|
+++ b/shell/math.c
|
|
@@ -593,7 +593,8 @@ evaluate_string(arith_state_t *math_state, const char *expr)
|
|
/* The proof that there can be no more than strlen(startbuf)/2+1
|
|
* integers in any given correct or incorrect expression
|
|
* is left as an exercise to the reader. */
|
|
- var_or_num_t *const numstack = alloca((expr_len / 2) * sizeof(numstack[0]));
|
|
+ /* Counterexample: 09J results in three integers. */
|
|
+ var_or_num_t *const numstack = alloca((expr_len - 2) * sizeof(numstack[0]));
|
|
var_or_num_t *numstackptr = numstack;
|
|
/* Stack of operator tokens */
|
|
operator *const stack = alloca(expr_len * sizeof(stack[0]));
|
|
--
|
|
2.26.2
|
|
|