BASH PATCH REPORT

			     =================

Bash-Release:	4.2

Patch-ID:	bash42-003

Bug-Reported-by:	Clark J. Wang <dearvoid@gmail.com>

Bug-Reference-ID:	<AANLkTikZ_rVV-frR8Fh0PzhXnMKnm5XsUR-F3qtPPs5G@mail.gmail.com>

Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2011-02/msg00136.html

Bug-Description:

When using the pattern replacement and pattern removal word expansions, bash

miscalculates the possible match length in the presence of an unescaped left

bracket without a closing right bracket, resulting in a failure to match

the pattern.

Patch (apply with `patch -p0'):

*** ../bash-4.2-patched/lib/glob/gmisc.c	2011-02-05 16:11:17.000000000 -0500

--- lib/glob/gmisc.c	2011-02-18 23:53:42.000000000 -0500

***************

*** 78,83 ****

       size_t wmax;

  {

!   wchar_t wc, *wbrack;

!   int matlen, t, in_cclass, in_collsym, in_equiv;

    if (*wpat == 0)

--- 78,83 ----

       size_t wmax;

  {

!   wchar_t wc;

!   int matlen, bracklen, t, in_cclass, in_collsym, in_equiv;

    if (*wpat == 0)

***************

*** 119,123 ****

  	case L'[':

  	  /* scan for ending `]', skipping over embedded [:...:] */

! 	  wbrack = wpat;

  	  wc = *wpat++;

  	  do

--- 119,123 ----

  	case L'[':

  	  /* scan for ending `]', skipping over embedded [:...:] */

! 	  bracklen = 1;

  	  wc = *wpat++;

  	  do

***************

*** 125,140 ****

  	      if (wc == 0)

  		{

! 	          matlen += wpat - wbrack - 1;	/* incremented below */

! 	          break;

  	        }

  	      else if (wc == L'\\')

  		{

! 		  wc = *wpat++;

! 		  if (*wpat == 0)

! 		    break;

  		}

  	      else if (wc == L'[' && *wpat == L':')	/* character class */

  		{

  		  wpat++;

  		  in_cclass = 1;

  		}

--- 125,148 ----

  	      if (wc == 0)

  		{

! 		  wpat--;			/* back up to NUL */

! 	          matlen += bracklen;

! 	          goto bad_bracket;

  	        }

  	      else if (wc == L'\\')

  		{

! 		  /* *wpat == backslash-escaped character */

! 		  bracklen++;

! 		  /* If the backslash or backslash-escape ends the string,

! 		     bail.  The ++wpat skips over the backslash escape */

! 		  if (*wpat == 0 || *++wpat == 0)

! 		    {

! 		      matlen += bracklen;

! 		      goto bad_bracket;

! 		    }

  		}

  	      else if (wc == L'[' && *wpat == L':')	/* character class */

  		{

  		  wpat++;

+ 		  bracklen++;

  		  in_cclass = 1;

  		}

***************

*** 142,145 ****

--- 150,154 ----

  		{

  		  wpat++;

+ 		  bracklen++;

  		  in_cclass = 0;

  		}

***************

*** 147,152 ****

  		{

  		  wpat++;

  		  if (*wpat == L']')	/* right bracket can appear as collating symbol */

! 		    wpat++;

  		  in_collsym = 1;

  		}

--- 156,165 ----

  		{

  		  wpat++;

+ 		  bracklen++;

  		  if (*wpat == L']')	/* right bracket can appear as collating symbol */

! 		    {

! 		      wpat++;

! 		      bracklen++;

! 		    }

  		  in_collsym = 1;

  		}

***************

*** 154,157 ****

--- 167,171 ----

  		{

  		  wpat++;

+ 		  bracklen++;

  		  in_collsym = 0;

  		}

***************

*** 159,164 ****

  		{

  		  wpat++;

  		  if (*wpat == L']')	/* right bracket can appear as equivalence class */

! 		    wpat++;

  		  in_equiv = 1;

  		}

--- 173,182 ----

  		{

  		  wpat++;

+ 		  bracklen++;

  		  if (*wpat == L']')	/* right bracket can appear as equivalence class */

! 		    {

! 		      wpat++;

! 		      bracklen++;

! 		    }

  		  in_equiv = 1;

  		}

***************

*** 166,174 ****

--- 184,196 ----

  		{

  		  wpat++;

+ 		  bracklen++;

  		  in_equiv = 0;

  		}

+ 	      else

+ 		bracklen++;

  	    }

  	  while ((wc = *wpat++) != L']');

  	  matlen++;		/* bracket expression can only match one char */

+ bad_bracket:

  	  break;

  	}

***************

*** 214,219 ****

       size_t max;

  {

!   char c, *brack;

!   int matlen, t, in_cclass, in_collsym, in_equiv;

    if (*pat == 0)

--- 236,241 ----

       size_t max;

  {

!   char c;

!   int matlen, bracklen, t, in_cclass, in_collsym, in_equiv;

    if (*pat == 0)

***************

*** 255,259 ****

  	case '[':

  	  /* scan for ending `]', skipping over embedded [:...:] */

! 	  brack = pat;

  	  c = *pat++;

  	  do

--- 277,281 ----

  	case '[':

  	  /* scan for ending `]', skipping over embedded [:...:] */

! 	  bracklen = 1;

  	  c = *pat++;

  	  do

***************

*** 261,276 ****

  	      if (c == 0)

  		{

! 	          matlen += pat - brack - 1;	/* incremented below */

! 	          break;

  	        }

  	      else if (c == '\\')

  		{

! 		  c = *pat++;

! 		  if (*pat == 0)

! 		    break;

  		}

  	      else if (c == '[' && *pat == ':')	/* character class */

  		{

  		  pat++;

  		  in_cclass = 1;

  		}

--- 283,306 ----

  	      if (c == 0)

  		{

! 		  pat--;			/* back up to NUL */

! 		  matlen += bracklen;

! 		  goto bad_bracket;

  	        }

  	      else if (c == '\\')

  		{

! 		  /* *pat == backslash-escaped character */

! 		  bracklen++;

! 		  /* If the backslash or backslash-escape ends the string,

! 		     bail.  The ++pat skips over the backslash escape */

! 		  if (*pat == 0 || *++pat == 0)

! 		    {

! 		      matlen += bracklen;

! 		      goto bad_bracket;

! 		    }

  		}

  	      else if (c == '[' && *pat == ':')	/* character class */

  		{

  		  pat++;

+ 		  bracklen++;

  		  in_cclass = 1;

  		}

***************

*** 278,281 ****

--- 308,312 ----

  		{

  		  pat++;

+ 		  bracklen++;

  		  in_cclass = 0;

  		}

***************

*** 283,288 ****

  		{

  		  pat++;

  		  if (*pat == ']')	/* right bracket can appear as collating symbol */

! 		    pat++;

  		  in_collsym = 1;

  		}

--- 314,323 ----

  		{

  		  pat++;

+ 		  bracklen++;

  		  if (*pat == ']')	/* right bracket can appear as collating symbol */

! 		    {

! 		      pat++;

! 		      bracklen++;

! 		    }

  		  in_collsym = 1;

  		}

***************

*** 290,293 ****

--- 325,329 ----

  		{

  		  pat++;

+ 		  bracklen++;

  		  in_collsym = 0;

  		}

***************

*** 295,300 ****

  		{

  		  pat++;

  		  if (*pat == ']')	/* right bracket can appear as equivalence class */

! 		    pat++;

  		  in_equiv = 1;

  		}

--- 331,340 ----

  		{

  		  pat++;

+ 		  bracklen++;

  		  if (*pat == ']')	/* right bracket can appear as equivalence class */

! 		    {

! 		      pat++;

! 		      bracklen++;

! 		    }

  		  in_equiv = 1;

  		}

***************

*** 302,310 ****

--- 342,354 ----

  		{

  		  pat++;

+ 		  bracklen++;

  		  in_equiv = 0;

  		}

+ 	      else

+ 		bracklen++;

  	    }

  	  while ((c = *pat++) != ']');

  	  matlen++;		/* bracket expression can only match one char */

+ bad_bracket:

  	  break;

  	}

*** ../bash-4.2-patched/patchlevel.h	Sat Jun 12 20:14:48 2010

--- patchlevel.h	Thu Feb 24 21:41:34 2011

***************

*** 26,30 ****

     looks for to find the patch level (for the sccs version string). */

! #define PATCHLEVEL 2

  #endif /* _PATCHLEVEL_H_ */

--- 26,30 ----

     looks for to find the patch level (for the sccs version string). */

! #define PATCHLEVEL 3

  #endif /* _PATCHLEVEL_H_ */