From 585dde8a038b3a7e4f5bc1f7ee9f5b02e3515121 Mon Sep 17 00:00:00 2001
From: gad <gad@FreeBSD.org>
Date: Sun, 19 Jun 2005 02:21:03 +0000
Subject: Fix a panic which could occur parsing #!-lines in a shell-script.  If
 the #!-line had multiple whitespace characters after the interpreter name,
 and it did not have any options, then the code would do nasty things trying
 to process a (non-existent) option-string which "ended before it began"...

Submitted by:	Morten Johansen
Approved by:	re (dwhite)
---
 sys/kern/imgact_shell.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'sys/kern/imgact_shell.c')

diff --git a/sys/kern/imgact_shell.c b/sys/kern/imgact_shell.c
index 43cf2f7..2f8b133 100644
--- a/sys/kern/imgact_shell.c
+++ b/sys/kern/imgact_shell.c
@@ -161,7 +161,7 @@ exec_shell_imgact(imgp)
 	while (ihp < maxp && ((*ihp != '\n') && (*ihp != '\0')))
 		ihp++;
 	opte = ihp;
-	while (--ihp > interpe && ((*ihp == ' ') || (*ihp == '\t')))
+	while (--ihp > optb && ((*ihp == ' ') || (*ihp == '\t')))
 		opte = ihp;
 
 	/*
@@ -173,7 +173,7 @@ exec_shell_imgact(imgp)
 	 * area, and 'length' as the number of bytes being removed.
 	 */
 	offset = interpe - interpb + 1;			/* interpreter */
-	if (opte != optb)				/* options (if any) */
+	if (opte > optb)				/* options (if any) */
 		offset += opte - optb + 1;
 	offset += strlen(imgp->args->fname) + 1;	/* fname of script */
 	length = (imgp->args->argc == 0) ? 0 :
@@ -208,7 +208,7 @@ exec_shell_imgact(imgp)
 	bcopy(interpb, imgp->args->buf, length);
 	*(imgp->args->buf + length) = '\0';
 	offset = length + 1;
-	if (opte != optb) {
+	if (opte > optb) {
 		length = opte - optb;
 		bcopy(optb, imgp->args->buf + offset, length);
 		*(imgp->args->buf + offset + length) = '\0';
-- 
cgit v1.1