Sorry for missing your fix for so long. I would like to avoid having numstack[] too large, so I'm adding some code to bail out early if we see a number immediately followed by a number or a name, which is never valid.
Thus, the current allocation will not be overflowed. Please try current git. On Thu, Dec 29, 2022 at 2:53 PM Ron Yorston <r...@pobox.com> wrote: > > Both ash and hush segfault when asked to evaluate ${0::0/0~09J}. > > The stack for integer values in the arithmetic code was too small: > '09J' results in three integers. The leading zero starts an octal > number but '9' isn't an octal digit so '0', '9' and the variable > 'Z' are placed on the stack. > > Signed-off-by: Ron Yorston <r...@pobox.com> > --- > shell/math.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/shell/math.c b/shell/math.c > index 76d22c9bd..83ef85c0c 100644 > --- a/shell/math.c > +++ b/shell/math.c > @@ -588,7 +588,8 @@ evaluate_string(arith_state_t *math_state, const char > *expr) > /* The proof that there can be no more than strlen(startbuf)/2+1 > * integers in any given correct or incorrect expression > * is left as an exercise to the reader. */ > - var_or_num_t *const numstack = alloca((expr_len / 2) * > sizeof(numstack[0])); > + /* Counterexample: 09J results in three integers. */ > + var_or_num_t *const numstack = alloca((expr_len - 2) * > sizeof(numstack[0])); > var_or_num_t *numstackptr = numstack; > /* Stack of operator tokens */ > operator *const stack = alloca(expr_len * sizeof(stack[0])); > -- > 2.38.1 > > _______________________________________________ > busybox mailing list > busybox@busybox.net > http://lists.busybox.net/mailman/listinfo/busybox _______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox