75 lines
		
	
	
		
			1.8 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			75 lines
		
	
	
		
			1.8 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| 			     BASH PATCH REPORT
 | |
| 			     =================
 | |
| 
 | |
| Bash-Release: 3.2
 | |
| Patch-ID: bash32-034
 | |
| 
 | |
| Bug-Reported-by:	Ian Campbell <ian.campbell@xensource.com>
 | |
| Bug-Reference-ID:	<EXCHPAFExU3l5bhn1ow00001dfe@rpc.xensource.com>
 | |
| Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2007-10/msg00060.html
 | |
| 
 | |
| Bug-Description:
 | |
| 
 | |
| The bash getcwd replacement will write past the end of allocated memory
 | |
| when it allocates the buffer itself if it uses the buffer size passed as
 | |
| an argument, and that size is less than the length of the pathname.
 | |
| 
 | |
| Patch:
 | |
| 
 | |
| *** ../bash-3.2-patched/lib/sh/getcwd.c	2004-07-21 17:15:19.000000000 -0400
 | |
| --- lib/sh/getcwd.c	2007-12-31 19:26:36.000000000 -0500
 | |
| ***************
 | |
| *** 252,268 ****
 | |
|     {
 | |
|       size_t len = pathbuf + pathsize - pathp;
 | |
|       if (buf == NULL)
 | |
|         {
 | |
| ! 	if (len < (size_t) size)
 | |
| ! 	  len = size;
 | |
| ! 	buf = (char *) malloc (len);
 | |
|   	if (buf == NULL)
 | |
|   	  goto lose2;
 | |
|         }
 | |
| !     else if ((size_t) size < len)
 | |
| !       {
 | |
| ! 	errno = ERANGE;
 | |
| ! 	goto lose2;
 | |
| !       }
 | |
|       (void) memcpy((PTR_T) buf, (PTR_T) pathp, len);
 | |
|     }
 | |
| --- 287,305 ----
 | |
|     {
 | |
|       size_t len = pathbuf + pathsize - pathp;
 | |
| +     if (buf == NULL && size <= 0)
 | |
| +       size = len;
 | |
| + 
 | |
| +     if ((size_t) size < len)
 | |
| +       {
 | |
| + 	errno = ERANGE;
 | |
| + 	goto lose2;
 | |
| +       }
 | |
|       if (buf == NULL)
 | |
|         {
 | |
| ! 	buf = (char *) malloc (size);
 | |
|   	if (buf == NULL)
 | |
|   	  goto lose2;
 | |
|         }
 | |
| ! 
 | |
|       (void) memcpy((PTR_T) buf, (PTR_T) pathp, len);
 | |
|     }
 | |
| *** ../bash-3.2/patchlevel.h	Thu Apr 13 08:31:04 2006
 | |
| --- patchlevel.h	Mon Oct 16 14:22:54 2006
 | |
| ***************
 | |
| *** 26,30 ****
 | |
|      looks for to find the patch level (for the sccs version string). */
 | |
|   
 | |
| ! #define PATCHLEVEL 33
 | |
|   
 | |
|   #endif /* _PATCHLEVEL_H_ */
 | |
| --- 26,30 ----
 | |
|      looks for to find the patch level (for the sccs version string). */
 | |
|   
 | |
| ! #define PATCHLEVEL 34
 | |
|   
 | |
|   #endif /* _PATCHLEVEL_H_ */
 |