rpms / bash

Clone
Source Code
GIT

Blame bash42-044

c4 c5 c5-plus c6 c6-plus c7 c7-alt c8-beta f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f7 f8 f9 master
  1.   f18
  2.   bash42-044
Blob History Raw
Roman Rakus f43bd3 
			     BASH PATCH REPORT
Roman Rakus f43bd3 
			     =================
Roman Rakus f43bd3
Roman Rakus f43bd3 
Bash-Release:	4.2
Roman Rakus f43bd3 
Patch-ID:	bash42-044
Roman Rakus f43bd3
Roman Rakus f43bd3 
Bug-Reported-by:	"Dashing" <dashing@hushmail.com>
Roman Rakus f43bd3 
Bug-Reference-ID:	<20130211175049.D90786F446@smtp.hushmail.com>
Roman Rakus f43bd3 
Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2013-02/msg00030.html
Roman Rakus f43bd3
Roman Rakus f43bd3 
Bug-Description:
Roman Rakus f43bd3
Roman Rakus f43bd3 
When converting a multibyte string to a wide character string as part of
Roman Rakus f43bd3 
pattern matching, bash does not handle the end of the string correctly,
Roman Rakus f43bd3 
causing the search for the NUL to go beyond the end of the string and
Roman Rakus f43bd3 
reference random memory.  Depending on the contents of that memory, bash
Roman Rakus f43bd3 
can produce errors or crash.
Roman Rakus f43bd3
Roman Rakus f43bd3 
Patch (apply with `patch -p0'):
Roman Rakus f43bd3
Roman Rakus f43bd3 
*** ../bash-4.2-patched/lib/glob/xmbsrtowcs.c	2012-07-08 21:53:19.000000000 -0400
Roman Rakus f43bd3 
--- lib/glob/xmbsrtowcs.c	2013-02-12 12:00:39.000000000 -0500
Roman Rakus f43bd3 
***************
Roman Rakus f43bd3 
*** 217,220 ****
Roman Rakus f43bd3 
--- 217,226 ----
Roman Rakus f43bd3 
        n = mbsnrtowcs(wsbuf+wcnum, &p, nms, wsbuf_size-wcnum, &state);
Roman Rakus f43bd3
Roman Rakus f43bd3 
+       if (n == 0 && p == 0)
Roman Rakus f43bd3 
+ 	{
Roman Rakus f43bd3 
+ 	  wsbuf[wcnum] = L'\0';
Roman Rakus f43bd3 
+ 	  break;
Roman Rakus f43bd3 
+ 	}
Roman Rakus f43bd3 
+
Roman Rakus f43bd3 
        /* Compensate for taking single byte on wcs conversion failure above. */
Roman Rakus f43bd3 
        if (wcslength == 1 && (n == 0 || n == (size_t)-1))
Roman Rakus f43bd3 
***************
Roman Rakus f43bd3 
*** 222,226 ****
Roman Rakus f43bd3 
  	  state = tmp_state;
Roman Rakus f43bd3 
  	  p = tmp_p;
Roman Rakus f43bd3 
! 	  wsbuf[wcnum++] = *p++;
Roman Rakus f43bd3 
  	}
Roman Rakus f43bd3 
        else
Roman Rakus f43bd3 
--- 228,238 ----
Roman Rakus f43bd3 
  	  state = tmp_state;
Roman Rakus f43bd3 
  	  p = tmp_p;
Roman Rakus f43bd3 
! 	  wsbuf[wcnum] = *p;
Roman Rakus f43bd3 
! 	  if (*p == 0)
Roman Rakus f43bd3 
! 	    break;
Roman Rakus f43bd3 
! 	  else
Roman Rakus f43bd3 
! 	    {
Roman Rakus f43bd3 
! 	      wcnum++; p++;
Roman Rakus f43bd3 
! 	    }
Roman Rakus f43bd3 
  	}
Roman Rakus f43bd3 
        else
Roman Rakus f43bd3
Roman Rakus f43bd3 
*** ../bash-4.2-patched/patchlevel.h	Sat Jun 12 20:14:48 2010
Roman Rakus f43bd3 
--- patchlevel.h	Thu Feb 24 21:41:34 2011
Roman Rakus f43bd3 
***************
Roman Rakus f43bd3 
*** 26,30 ****
Roman Rakus f43bd3 
     looks for to find the patch level (for the sccs version string). */
Roman Rakus f43bd3
Roman Rakus f43bd3 
! #define PATCHLEVEL 43
Roman Rakus f43bd3
Roman Rakus f43bd3 
  #endif /* _PATCHLEVEL_H_ */
Roman Rakus f43bd3 
--- 26,30 ----
Roman Rakus f43bd3 
     looks for to find the patch level (for the sccs version string). */
Roman Rakus f43bd3
Roman Rakus f43bd3 
! #define PATCHLEVEL 44
Roman Rakus f43bd3
Roman Rakus f43bd3 
  #endif /* _PATCHLEVEL_H_ */

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation