AddressSanitizer: heap-use-after-free in parse_double_bracket_operand_regex
Commit dbdfea29bf002abd3f134e1bfd942aa2a28ab7ab is r4177 on OSDN.
magicant Thank you for reporting the bug.
Related problem: [[ x =~ ($(echo x)) ]] does not parse.
magicant Fixed in r4178
Reproduced by compiling yash with AddressSanitizer and run this script.
AddressSanitizer output:
freed by thread T0 here: #0 0x525022 in free (/home/ubuntu/repos/yash/parser_fuzzer+0x525022) #1 0x588cc6 in wordunitfree /home/ubuntu/repos/yash/parser.c:202:5 #2 0x588917 in wordfree /home/ubuntu/repos/yash/parser.c:209:2 #3 0x58cf6f in next_token /home/ubuntu/repos/yash/parser.c:1022:5 #4 0x592891 in extract_command_in_paren /home/ubuntu/repos/yash/parser.c:1558:2 #5 0x5919fd in parse_cmdsubst_in_paren /home/ubuntu/repos/yash/parser.c:1524:22 #6 0x58f63b in parse_special_word_unit /home/ubuntu/repos/yash/parser.c:1276:13 #7 0x598d9f in parse_double_bracket_operand_regex /home/ubuntu/repos/yash/parser.c:2981:20MAKE_WORDUNIT_STRING on parser.c:2980 reads a token and saves it to lastp, but invoking parse_special_word_unit on parser.c:2981 which eventually calls next_token will free lastp, as shown in the above stack trace. So writing to lastp on parser.c:2984 is detected by AddressSanitizer as heap-use-after-free:
==27393==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000000580 at pc 0x000000599119 bp 0x7ffd83c3df90 sp 0x7ffd83c3df88 WRITE of size 8 at 0x603000000580 thread T0 #0 0x599118 in parse_double_bracket_operand_regex /home/ubuntu/repos/yash/parser.c:2984:14Line numbers are from commit dbdfea29bf002abd3f134e1bfd942aa2a28ab7ab.