bash/bash43-009

65 lines
2.4 KiB
Plaintext
Raw Normal View History

2014-04-14 07:35:05 +00:00
BASH PATCH REPORT
=================
Bash-Release: 4.3
Patch-ID: bash43-009
Bug-Reported-by: Matthias Klose <doko@debian.org>
Bug-Reference-ID: <53346FC8.6090005@debian.org>
Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2014-03/msg00171.html
Bug-Description:
There is a problem with unsigned sign extension when attempting to reallocate
the input line when it is fewer than 3 characters long and there has been a
history expansion. The sign extension causes the shell to not reallocate the
line, which results in a segmentation fault when it writes past the end.
Patch (apply with `patch -p0'):
*** ../bash-4.3-patched/parse.y 2014-02-11 09:42:10.000000000 -0500
--- parse.y 2014-03-27 16:33:29.000000000 -0400
***************
*** 2425,2429 ****
if (shell_input_line_terminator != EOF)
{
! if (shell_input_line_size < SIZE_MAX && shell_input_line_len > shell_input_line_size - 3)
shell_input_line = (char *)xrealloc (shell_input_line,
1 + (shell_input_line_size += 2));
--- 2425,2429 ----
if (shell_input_line_terminator != EOF)
{
! if (shell_input_line_size < SIZE_MAX-3 && (shell_input_line_len+3 > shell_input_line_size))
shell_input_line = (char *)xrealloc (shell_input_line,
1 + (shell_input_line_size += 2));
*** ../bash-4.3-patched/y.tab.c 2014-03-28 11:17:06.000000000 -0400
--- y.tab.c 2014-04-07 11:48:31.000000000 -0400
***************
*** 4737,4741 ****
if (shell_input_line_terminator != EOF)
{
! if (shell_input_line_size < SIZE_MAX && shell_input_line_len > shell_input_line_size - 3)
shell_input_line = (char *)xrealloc (shell_input_line,
1 + (shell_input_line_size += 2));
--- 4737,4741 ----
if (shell_input_line_terminator != EOF)
{
! if (shell_input_line_size < SIZE_MAX-3 && (shell_input_line_len+3 > shell_input_line_size))
shell_input_line = (char *)xrealloc (shell_input_line,
1 + (shell_input_line_size += 2));
*** ../bash-4.3/patchlevel.h 2012-12-29 10:47:57.000000000 -0500
--- patchlevel.h 2014-03-20 20:01:28.000000000 -0400
***************
*** 26,30 ****
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 8
#endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 9
#endif /* _PATCHLEVEL_H_ */