Executing Ctrl-^ as a command crashes the app

[l2dy]

ios_system uses 0x1e as its internal Record Separator for arguments with both ' and ". The internal 0x1e always comes in pairs, except when you put one in the input, in which case strchr(argument + 1, recordSeparator) could return NULL and the functions returns 0x1, an invalid address to call strlen() upon.

diff --git a/ios_system.m b/ios_system.m
index 21e9eeb..87a498b 100644
--- a/ios_system.m
+++ b/ios_system.m
@@ -2459,6 +2459,7 @@ static char* getLastCharacterOfArgument(const char* argument) {
         return NULL;
     } else if (argument[0] == recordSeparator) {
         char* endquote = strchr(argument + 1, recordSeparator);
+        if (endquote == NULL) return NULL; // be safe
         return endquote + 1;
     }
     // TODO: the last character of the argument could also be '<' or '>' (vim does that, with no space after file name)

Related: blinksh/blink#1994

[l2dy]

ios_system/ios_system.m

Line 3011 in 430d87d

assert(argc < numSpaces + 2);

4 or more 0x1e would also trigger this assertion. If we don't have a real-world use case for having 0x1e in a command, maybe we should consider stripping 0x1e out before passing it to ios_system.

[holzschu]

Thanks for this. That makes sense. I've added it to the code.

[holzschu]

Release v3.0.3 has this fix incorporated: https://github.com/holzschu/ios_system/releases/tag/v3.0.3

[l2dy]

Release v3.0.3 has this fix incorporated: https://github.com/holzschu/ios_system/releases/tag/v3.0.3

Thanks! Is the release notes incomplete?