From 5197ec62d997b72d14ec7456257e216a16ce964e Mon Sep 17 00:00:00 2001
From: Eric Cornelissen <ericornelissen@gmail.com>
Date: Sat, 15 Oct 2022 16:35:14 +0200
Subject: [PATCH 1/5] Add item to the fuzz corpus

Add an item that cause crashes when fuzzing cmd.exe in the
repository in the CI at [1]. Based on local testing this also affects
PowerShell.

--
1. 6c31238de6bad3977fac5cf4844890883a615c3d
---
 ...9c65ce839200b4449208a67e60b40e723805cb9bc528ccdb44c3ae53b0966 | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 test/fuzz/corpus/9729c65ce839200b4449208a67e60b40e723805cb9bc528ccdb44c3ae53b0966

diff --git a/test/fuzz/corpus/9729c65ce839200b4449208a67e60b40e723805cb9bc528ccdb44c3ae53b0966 b/test/fuzz/corpus/9729c65ce839200b4449208a67e60b40e723805cb9bc528ccdb44c3ae53b0966
new file mode 100644
index 000000000..7fd26bb5c
--- /dev/null
+++ b/test/fuzz/corpus/9729c65ce839200b4449208a67e60b40e723805cb9bc528ccdb44c3ae53b0966
@@ -0,0 +1 @@
+[9\\
\ No newline at end of file

From 4c2b3238463a28104e4376d421a8f51ea0727f71 Mon Sep 17 00:00:00 2001
From: Eric Cornelissen <ericornelissen@gmail.com>
Date: Sun, 16 Oct 2022 15:28:08 +0200
Subject: [PATCH 2/5] Update cmd.exe fuzz preparation

Update the arg preparation when fuzzing cmd.exe by accounting for newly
stripped characters by Shescape when preparing arguments containing
forward slashes. In particular in addition to `\0`, Shescape also strips
`\u0008`, `\u001B`, and `\u009B`.

Accordingly, fix the comment explaining to replacement as it incorrectly
claims that `\0` is ignored (while in fact it's Shescape that removes
it).
---
 test/fuzz/_common.cjs | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/test/fuzz/_common.cjs b/test/fuzz/_common.cjs
index 4cedb47f7..68ec28768 100644
--- a/test/fuzz/_common.cjs
+++ b/test/fuzz/_common.cjs
@@ -113,12 +113,17 @@ function prepareArg({ arg, quoted, shell }, disableExtraWindowsPreparations) {
     if (isShellCmd(shell)) {
       // ... in CMD, depending on if the argument is quotes ...
       if (quoted) {
-        // ... interprets arguments with `\"` as `"` (even if there's a
-        // null character between `\` and `"`) so we escape the `\`.
-        arg = arg.replace(/(?<!\\)((?:\\\0*)+)(?="|$)/gu, "$1$1");
+        // ... interprets arguments with `\"` as `"` so we escape the `\`.
+        arg = arg.replace(
+          /(?<!\\)((?:\\[\0\u0008\u001B\u009B]*)+)(?="|$)/gu,
+          "$1$1"
+        );
       } else {
         // ... interprets arguments with `\"` as `"` so we escape the `\` ...
-        arg = arg.replace(/(?<!\\)((?:\\\0*)+)(?=")/gu, "$1$1");
+        arg = arg.replace(
+          /(?<!\\)((?:\\[\0\u0008\u001B\u009B]*)+)(?=")/gu,
+          "$1$1"
+        );
 
         // ... interprets arguments with `"` as `` so we escape it with `\`.
         arg = arg.replace(/"/gu, `\\"`);

From 3292558478e13b9e1911165a0634019280cd8edd Mon Sep 17 00:00:00 2001
From: Eric Cornelissen <ericornelissen@gmail.com>
Date: Sun, 16 Oct 2022 15:32:26 +0200
Subject: [PATCH 3/5] Add item to the fuzz corpus

Add an item that cause crashes when fuzzing PowerShell in the
repository in the CI at [1]. Based on local testing this does not affect
cmd.exe

--
1. 6c31238de6bad3977fac5cf4844890883a615c3d
---
 ...90140481b33049493d421f1e6f9a3a0c629cbda426ba7106809330595a7c9 | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 test/fuzz/corpus/4af90140481b33049493d421f1e6f9a3a0c629cbda426ba7106809330595a7c9

diff --git a/test/fuzz/corpus/4af90140481b33049493d421f1e6f9a3a0c629cbda426ba7106809330595a7c9 b/test/fuzz/corpus/4af90140481b33049493d421f1e6f9a3a0c629cbda426ba7106809330595a7c9
new file mode 100644
index 000000000..beab06330
--- /dev/null
+++ b/test/fuzz/corpus/4af90140481b33049493d421f1e6f9a3a0c629cbda426ba7106809330595a7c9
@@ -0,0 +1 @@
+ Lü\\\
\ No newline at end of file

From 7ca4527e4c21a89918bd3994f0c299448af5c5e1 Mon Sep 17 00:00:00 2001
From: Eric Cornelissen <ericornelissen@gmail.com>
Date: Sun, 16 Oct 2022 17:44:56 +0200
Subject: [PATCH 4/5] Update PowerShell fuzz preparation

Update the arg preparation when fuzzing PowerShell by accounting for
newly stripped characters by Shescape when preparing arguments
containing forward slashes. In particular in addition to `\0`, Shescape
also strips `\u0008`, `\u001B`, and `\u009B`.

Accordingly, fix comments explaining the replacements as they
incorrectly claim that `\0` is ignored (while in fact it's Shescape that
removes it).
---
 test/fuzz/_common.cjs | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/test/fuzz/_common.cjs b/test/fuzz/_common.cjs
index 68ec28768..8a0ef4bc4 100644
--- a/test/fuzz/_common.cjs
+++ b/test/fuzz/_common.cjs
@@ -141,14 +141,18 @@ function prepareArg({ arg, quoted, shell }, disableExtraWindowsPreparations) {
         // extra double quotes as `""""` ...
         arg = arg.replace(/"/gu, `""`);
 
-        // ... and interprets arguments with `\"` as `"` (even if there's a null
-        // character between `\` and `"`) so we escape the `\`.
-        arg = arg.replace(/(?<!\\)((?:\\\0*)+)(?="|\r?$)/gu, "$1$1");
+        // ... and interprets arguments with `\"` as `"` so we escape the `\`.
+        arg = arg.replace(
+          /(?<!\\)((?:\\[\0\u0008\u001B\u009B]*)+)(?="|\r?$)/gu,
+          "$1$1"
+        );
       } else {
-        // ... interprets arguments with `\"` as `"` (even if there's a null
-        // character between `\` and `"`) so we escape the `\`, except that the
-        // quote closing the argument cannot be escaped ...
-        arg = arg.replace(/(?<!\\)((?:\\\0*)+)(?=")/gu, "$1$1");
+        // ... interprets arguments with `\"` as `"` so we escape the `\`,
+        // except that the quote closing the argument cannot be escaped ...
+        arg = arg.replace(
+          /(?<!\\)((?:\\[\0\u0008\u001B\u009B]*)+)(?=")/gu,
+          "$1$1"
+        );
 
         // ... and interprets arguments with `"` as nothing so we escape it
         // with `\"`.

From 005d8ea8aa0bc69ad278336f603ebdb211bf7e44 Mon Sep 17 00:00:00 2001
From: Eric Cornelissen <ericornelissen@gmail.com>
Date: Sun, 16 Oct 2022 17:59:52 +0200
Subject: [PATCH 5/5] Improve PowerShell fuzz preparation

Improve how the carriage return character is considered when preparing
arguments for PowerShell. In particular, rather than only considering it
at the end of the argument, consider it any time it's not followed by a
line feed.
---
 test/fuzz/_common.cjs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/fuzz/_common.cjs b/test/fuzz/_common.cjs
index 8a0ef4bc4..14a3beb22 100644
--- a/test/fuzz/_common.cjs
+++ b/test/fuzz/_common.cjs
@@ -143,14 +143,14 @@ function prepareArg({ arg, quoted, shell }, disableExtraWindowsPreparations) {
 
         // ... and interprets arguments with `\"` as `"` so we escape the `\`.
         arg = arg.replace(
-          /(?<!\\)((?:\\[\0\u0008\u001B\u009B]*)+)(?="|\r?$)/gu,
+          /(?<!\\)((?:\\(?:[\0\u0008\u001B\u009B]|\r(?!\n))*)+)(?="|$)/gu,
           "$1$1"
         );
       } else {
         // ... interprets arguments with `\"` as `"` so we escape the `\`,
         // except that the quote closing the argument cannot be escaped ...
         arg = arg.replace(
-          /(?<!\\)((?:\\[\0\u0008\u001B\u009B]*)+)(?=")/gu,
+          /(?<!\\)((?:\\[\0\u0008\r\u001B\u009B]*)+)(?=")/gu,
           "$1$1"
         );