rpms / bash

Clone
Source Code
GIT

Blame bash42-044

c4 c5 c5-plus c6 c6-plus c7 c7-alt c8-beta f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f7 f8 f9 master
  1.   185aa1593d30b9543387a7ce78a86e4cce212587
  2.   bash42-044
Blob History Raw
Roman Rakus f6ffed 
			     BASH PATCH REPORT
Roman Rakus f6ffed 
			     =================
Roman Rakus f6ffed
Roman Rakus f6ffed 
Bash-Release:	4.2
Roman Rakus f6ffed 
Patch-ID:	bash42-044
Roman Rakus f6ffed
Roman Rakus f6ffed 
Bug-Reported-by:	"Dashing" <dashing@hushmail.com>
Roman Rakus f6ffed 
Bug-Reference-ID:	<20130211175049.D90786F446@smtp.hushmail.com>
Roman Rakus f6ffed 
Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2013-02/msg00030.html
Roman Rakus f6ffed
Roman Rakus f6ffed 
Bug-Description:
Roman Rakus f6ffed
Roman Rakus f6ffed 
When converting a multibyte string to a wide character string as part of
Roman Rakus f6ffed 
pattern matching, bash does not handle the end of the string correctly,
Roman Rakus f6ffed 
causing the search for the NUL to go beyond the end of the string and
Roman Rakus f6ffed 
reference random memory.  Depending on the contents of that memory, bash
Roman Rakus f6ffed 
can produce errors or crash.
Roman Rakus f6ffed
Roman Rakus f6ffed 
Patch (apply with `patch -p0'):
Roman Rakus f6ffed
Roman Rakus f6ffed 
*** ../bash-4.2-patched/lib/glob/xmbsrtowcs.c	2012-07-08 21:53:19.000000000 -0400
Roman Rakus f6ffed 
--- lib/glob/xmbsrtowcs.c	2013-02-12 12:00:39.000000000 -0500
Roman Rakus f6ffed 
***************
Roman Rakus f6ffed 
*** 217,220 ****
Roman Rakus f6ffed 
--- 217,226 ----
Roman Rakus f6ffed 
        n = mbsnrtowcs(wsbuf+wcnum, &p, nms, wsbuf_size-wcnum, &state);
Roman Rakus f6ffed
Roman Rakus f6ffed 
+       if (n == 0 && p == 0)
Roman Rakus f6ffed 
+ 	{
Roman Rakus f6ffed 
+ 	  wsbuf[wcnum] = L'\0';
Roman Rakus f6ffed 
+ 	  break;
Roman Rakus f6ffed 
+ 	}
Roman Rakus f6ffed 
+
Roman Rakus f6ffed 
        /* Compensate for taking single byte on wcs conversion failure above. */
Roman Rakus f6ffed 
        if (wcslength == 1 && (n == 0 || n == (size_t)-1))
Roman Rakus f6ffed 
***************
Roman Rakus f6ffed 
*** 222,226 ****
Roman Rakus f6ffed 
  	  state = tmp_state;
Roman Rakus f6ffed 
  	  p = tmp_p;
Roman Rakus f6ffed 
! 	  wsbuf[wcnum++] = *p++;
Roman Rakus f6ffed 
  	}
Roman Rakus f6ffed 
        else
Roman Rakus f6ffed 
--- 228,238 ----
Roman Rakus f6ffed 
  	  state = tmp_state;
Roman Rakus f6ffed 
  	  p = tmp_p;
Roman Rakus f6ffed 
! 	  wsbuf[wcnum] = *p;
Roman Rakus f6ffed 
! 	  if (*p == 0)
Roman Rakus f6ffed 
! 	    break;
Roman Rakus f6ffed 
! 	  else
Roman Rakus f6ffed 
! 	    {
Roman Rakus f6ffed 
! 	      wcnum++; p++;
Roman Rakus f6ffed 
! 	    }
Roman Rakus f6ffed 
  	}
Roman Rakus f6ffed 
        else
Roman Rakus f6ffed
Roman Rakus f6ffed 
*** ../bash-4.2-patched/patchlevel.h	Sat Jun 12 20:14:48 2010
Roman Rakus f6ffed 
--- patchlevel.h	Thu Feb 24 21:41:34 2011
Roman Rakus f6ffed 
***************
Roman Rakus f6ffed 
*** 26,30 ****
Roman Rakus f6ffed 
     looks for to find the patch level (for the sccs version string). */
Roman Rakus f6ffed
Roman Rakus f6ffed 
! #define PATCHLEVEL 43
Roman Rakus f6ffed
Roman Rakus f6ffed 
  #endif /* _PATCHLEVEL_H_ */
Roman Rakus f6ffed 
--- 26,30 ----
Roman Rakus f6ffed 
     looks for to find the patch level (for the sccs version string). */
Roman Rakus f6ffed
Roman Rakus f6ffed 
! #define PATCHLEVEL 44
Roman Rakus f6ffed
Roman Rakus f6ffed 
  #endif /* _PATCHLEVEL_H_ */

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation