71 lines
1.8 KiB
Plaintext
71 lines
1.8 KiB
Plaintext
BASH PATCH REPORT
|
|
=================
|
|
|
|
Bash-Release: 4.2
|
|
Patch-ID: bash42-044
|
|
|
|
Bug-Reported-by: "Dashing" <dashing@hushmail.com>
|
|
Bug-Reference-ID: <20130211175049.D90786F446@smtp.hushmail.com>
|
|
Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2013-02/msg00030.html
|
|
|
|
Bug-Description:
|
|
|
|
When converting a multibyte string to a wide character string as part of
|
|
pattern matching, bash does not handle the end of the string correctly,
|
|
causing the search for the NUL to go beyond the end of the string and
|
|
reference random memory. Depending on the contents of that memory, bash
|
|
can produce errors or crash.
|
|
|
|
Patch (apply with `patch -p0'):
|
|
|
|
*** ../bash-4.2-patched/lib/glob/xmbsrtowcs.c 2012-07-08 21:53:19.000000000 -0400
|
|
--- lib/glob/xmbsrtowcs.c 2013-02-12 12:00:39.000000000 -0500
|
|
***************
|
|
*** 217,220 ****
|
|
--- 217,226 ----
|
|
n = mbsnrtowcs(wsbuf+wcnum, &p, nms, wsbuf_size-wcnum, &state);
|
|
|
|
+ if (n == 0 && p == 0)
|
|
+ {
|
|
+ wsbuf[wcnum] = L'\0';
|
|
+ break;
|
|
+ }
|
|
+
|
|
/* Compensate for taking single byte on wcs conversion failure above. */
|
|
if (wcslength == 1 && (n == 0 || n == (size_t)-1))
|
|
***************
|
|
*** 222,226 ****
|
|
state = tmp_state;
|
|
p = tmp_p;
|
|
! wsbuf[wcnum++] = *p++;
|
|
}
|
|
else
|
|
--- 228,238 ----
|
|
state = tmp_state;
|
|
p = tmp_p;
|
|
! wsbuf[wcnum] = *p;
|
|
! if (*p == 0)
|
|
! break;
|
|
! else
|
|
! {
|
|
! wcnum++; p++;
|
|
! }
|
|
}
|
|
else
|
|
|
|
*** ../bash-4.2-patched/patchlevel.h Sat Jun 12 20:14:48 2010
|
|
--- patchlevel.h Thu Feb 24 21:41:34 2011
|
|
***************
|
|
*** 26,30 ****
|
|
looks for to find the patch level (for the sccs version string). */
|
|
|
|
! #define PATCHLEVEL 43
|
|
|
|
#endif /* _PATCHLEVEL_H_ */
|
|
--- 26,30 ----
|
|
looks for to find the patch level (for the sccs version string). */
|
|
|
|
! #define PATCHLEVEL 44
|
|
|
|
#endif /* _PATCHLEVEL_H_ */
|