Fix a panic which could occur parsing #!-lines in a shell-script. If the

#!-line had multiple whitespace characters after the interpreter name, and
it did not have any options, then the code would do nasty things trying to
process a (non-existent) option-string which "ended before it began"...

Submitted by:	Morten Johansen
Approved by:	re (dwhite)

1 files changed, 3 insertions, 3 deletions

diff --git a/sys/kern/imgact_shell.c b/sys/kern/imgact_shell.c
index 43cf2f7..2f8b133 100644
--- a/sys/kern/imgact_shell.c
+++ b/sys/kern/imgact_shell.c
@@ -161,7 +161,7 @@ exec_shell_imgact(imgp)
 	while (ihp < maxp && ((*ihp != '\n') && (*ihp != '\0')))
 		ihp++;
 	opte = ihp;
-	while (--ihp > interpe && ((*ihp == ' ') || (*ihp == '\t')))
+	while (--ihp > optb && ((*ihp == ' ') || (*ihp == '\t')))
 		opte = ihp;
 
 	/*
@@ -173,7 +173,7 @@ exec_shell_imgact(imgp)
 	 * area, and 'length' as the number of bytes being removed.
 	 */
 	offset = interpe - interpb + 1;			/* interpreter */
-	if (opte != optb)				/* options (if any) */
+	if (opte > optb)				/* options (if any) */
 		offset += opte - optb + 1;
 	offset += strlen(imgp->args->fname) + 1;	/* fname of script */
 	length = (imgp->args->argc == 0) ? 0 :
@@ -208,7 +208,7 @@ exec_shell_imgact(imgp)
 	bcopy(interpb, imgp->args->buf, length);
 	*(imgp->args->buf + length) = '\0';
 	offset = length + 1;
-	if (opte != optb) {
+	if (opte > optb) {
 		length = opte - optb;
 		bcopy(optb, imgp->args->buf + offset, length);
 		*(imgp->args->buf + offset + length) = '\0';