https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195918
--- Comment #4 from jason.unovi...@gmail.com ---
An interesting observation to add, I can trigger this on my amd64 box but not
on my i386 router. After further investigation, I found through using GDB on
an old 9.1 VM with bin/sh compiled with debuging that expand.c runs atoi and
uses the negative number it receives to read from an array index. I've
attached the diff but it's crude and I don't think this is the "right" solution
but does prevent any seg faults and errors out cleanly with the bad
substitution.
64 bit:
FreeBSD xts-bsd 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274401: Tue Nov 11
21:02:49 UTC 2014 r...@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC
amd64
jason@xts-bsd:/usr/src/bin/sh % sh
$ echo b=${1985234857347568347:12:5}
Segmentation fault
32 bit:
FreeBSD xts-rtr 10.1-RELEASE FreeBSD 10.1-RELEASE #0 r274562M: Sun Nov 16
07:37:32 UTC 2014
root@xts-bsd:/usr/obj/nanobsd.soekris/i386.i386/usr/src/sys/GENERIC i386
jason@xts-rtr:~ % sh
$ echo b=${1985234857347568347:12:5}
${1985234857347568347:1...}: Bad substitution
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
