On 1/6/19 9:25 PM, Eduardo A. Bustamante López wrote:
> I found the issue with AFL (http://lcamtuf.coredump.cx/afl/).
>
> The crash itself happens due to the following:
>
> dualbus@system76-pc:~/src/gnu/bash$ cat -n lib/readline/text.c | sed -n
> '1455,1460p'
> 1455 mlen = wcrtomb (mb, nwc, &mps); // <- mlen is
> -1, due to `nwc' being an invalid character.
> 1456 if (mlen > 0)
> 1457 mb[mlen] = '\0';
> 1458 /* what to do if m != mlen? adjust below */
> 1459 /* m == length of old char, mlen == length of new
> char */
> 1460 s = rl_line_buffer + start;
>
> dualbus@system76-pc:~/src/gnu/bash$ cat -n lib/readline/text.c | sed -n
> '1475,1480p'
> 1475 rl_extend_line_buffer (mlen - m + 1);
> 1476 memmove (s + mlen, s + m, (e - s) - m);
> 1477 memcpy (s, mb, mlen); // <- mlen is negative
> here, thus it's an invalid `memcpy'
> 1478 next += mlen - m; /* next char changes */
> 1479 end += mlen - m; /* end of word changes
> */
> 1480 rl_end += mlen - m; /* end of line changes
> */
>
> I'm not really sure how to fix this problem. I worked around it by changing
> the
> condition in L1456 to just return early from the function.
It's interesting that towupper returns a valid wide character in the
zh_CN.gbk locale, but one that can't be converted back to a multibyte
byte sequence. I didn't really think that was possible. I'll figure out
some workaround that will probably involve reverting back to the original
character.
Chet
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU c...@case.edu http://tiswww.cwru.edu/~chet/
