diff options
| author | Tuomas Tynkkynen <tuomas@tuxera.com> | 2018-02-19 17:52:33 +0200 |
|---|---|---|
| committer | Tuomas Tynkkynen <tuomas@tuxera.com> | 2018-02-26 19:49:13 +0200 |
| commit | 77e9e1ed91182cb8409d325e225a99decb49b3d5 (patch) | |
| tree | 26178762b948c9c64812a3aad90164de4f8a0df2 /src | |
| parent | 24ec7500032c2434e450b7bc3f77ff4c1f12c41c (diff) | |
libexpr: Fix prim_replaceStrings() to work on an empty source string
Otherwise, running e.g.
nix-instantiate --eval -E --strict 'builtins.replaceStrings [""] ["X"] "abc"'
would just hang in an infinite loop.
Found by afl-fuzz.
First attempt of this was reverted in e2d71bd1862cdda because it caused
another infinite loop, which is fixed now and a test added.
Diffstat (limited to 'src')
| -rw-r--r-- | src/libexpr/primops.cc | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc index a800d2429..db258ea18 100644 --- a/src/libexpr/primops.cc +++ b/src/libexpr/primops.cc @@ -1913,21 +1913,32 @@ static void prim_replaceStrings(EvalState & state, const Pos & pos, Value * * ar auto s = state.forceString(*args[2], context, pos); string res; - for (size_t p = 0; p < s.size(); ) { + // Loops one past last character to handle the case where 'from' contains an empty string. + for (size_t p = 0; p <= s.size(); ) { bool found = false; auto i = from.begin(); auto j = to.begin(); for (; i != from.end(); ++i, ++j) if (s.compare(p, i->size(), *i) == 0) { found = true; - p += i->size(); res += j->first; + if (i->empty()) { + if (p < s.size()) + res += s[p]; + p++; + } else { + p += i->size(); + } for (auto& path : j->second) context.insert(path); j->second.clear(); break; } - if (!found) res += s[p++]; + if (!found) { + if (p < s.size()) + res += s[p]; + p++; + } } mkString(v, res, context); |