From ca6b4798102d1b758ebf1e15806894b946353b39 Mon Sep 17 00:00:00 2001 From: Oliver Webb Date: Mon, 4 Sep 2023 18:52:44 -0500 Subject: [PATCH] modified: toys/pending/sh.c When toysh processes a escaped newline, A segfault can occur if the command is formatted in a specific way. This fix checks if a pointer in 'expand_arg()' is null before subtracting with it. --- toys/pending/sh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/toys/pending/sh.c b/toys/pending/sh.c index fc9edcff..2f1a510e 100644 --- a/toys/pending/sh.c +++ b/toys/pending/sh.c @@ -2297,7 +2297,7 @@ static int expand_arg(struct sh_arg *arg, char *old, unsigned flags, // collect brace spans if ((TT.options&OPT_B) && !(flags&NO_BRACE)) for (i = 0; ; i++) { // skip quoted/escaped text - while ((s = parse_word(old+i, 1)) != old+i) i += s-(old+i); + while ((s = parse_word(old+i, 1)) != old+i && s) i += s-(old+i); // start a new span if (old[i] == '{') { -- 2.39.2