1 BASH PATCH REPORT |
|
2 ================= |
|
3 |
|
4 Bash-Release: 4.1 |
|
5 Patch-ID: bash41-015 |
|
6 |
|
7 Bug-Reported-by: Florian Weimer <[email protected]> |
|
8 Bug-Reference-ID: |
|
9 Bug-Reference-URL: |
|
10 |
|
11 Bug-Description: |
|
12 |
|
13 There are two local buffer overflows in parse.y that can cause the shell |
|
14 to dump core when given many here-documents attached to a single command |
|
15 or many nested loops. |
|
16 |
|
17 Patch (apply with `patch -p0'): |
|
18 |
|
19 *** ../bash-4.1.14/parse.y 2014-09-27 12:18:25.000000000 -0400 |
|
20 --- parse.y 2014-09-30 19:36:03.000000000 -0400 |
|
21 *************** |
|
22 *** 168,171 **** |
|
23 --- 168,174 ---- |
|
24 static int reserved_word_acceptable __P((int)); |
|
25 static int yylex __P((void)); |
|
26 + |
|
27 + static void push_heredoc __P((REDIRECT *)); |
|
28 + static char *mk_alexpansion __P((char *)); |
|
29 static int alias_expand_token __P((char *)); |
|
30 static int time_command_acceptable __P((void)); |
|
31 *************** |
|
32 *** 262,266 **** |
|
33 /* Variables to manage the task of reading here documents, because we need to |
|
34 defer the reading until after a complete command has been collected. */ |
|
35 ! static REDIRECT *redir_stack[10]; |
|
36 int need_here_doc; |
|
37 |
|
38 --- 265,271 ---- |
|
39 /* Variables to manage the task of reading here documents, because we need to |
|
40 defer the reading until after a complete command has been collected. */ |
|
41 ! #define HEREDOC_MAX 16 |
|
42 ! |
|
43 ! static REDIRECT *redir_stack[HEREDOC_MAX]; |
|
44 int need_here_doc; |
|
45 |
|
46 *************** |
|
47 *** 304,308 **** |
|
48 index is decremented after a case, select, or for command is parsed. */ |
|
49 #define MAX_CASE_NEST 128 |
|
50 ! static int word_lineno[MAX_CASE_NEST]; |
|
51 static int word_top = -1; |
|
52 |
|
53 --- 309,313 ---- |
|
54 index is decremented after a case, select, or for command is parsed. */ |
|
55 #define MAX_CASE_NEST 128 |
|
56 ! static int word_lineno[MAX_CASE_NEST+1]; |
|
57 static int word_top = -1; |
|
58 |
|
59 *************** |
|
60 *** 517,521 **** |
|
61 redir.filename = $2; |
|
62 $$ = make_redirection (source, r_reading_until, redir, 0); |
|
63 ! redir_stack[need_here_doc++] = $$; |
|
64 } |
|
65 | NUMBER LESS_LESS WORD |
|
66 --- 522,526 ---- |
|
67 redir.filename = $2; |
|
68 $$ = make_redirection (source, r_reading_until, redir, 0); |
|
69 ! push_heredoc ($$); |
|
70 } |
|
71 | NUMBER LESS_LESS WORD |
|
72 *************** |
|
73 *** 524,528 **** |
|
74 redir.filename = $3; |
|
75 $$ = make_redirection (source, r_reading_until, redir, 0); |
|
76 ! redir_stack[need_here_doc++] = $$; |
|
77 } |
|
78 | REDIR_WORD LESS_LESS WORD |
|
79 --- 529,533 ---- |
|
80 redir.filename = $3; |
|
81 $$ = make_redirection (source, r_reading_until, redir, 0); |
|
82 ! push_heredoc ($$); |
|
83 } |
|
84 | REDIR_WORD LESS_LESS WORD |
|
85 *************** |
|
86 *** 531,535 **** |
|
87 redir.filename = $3; |
|
88 $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN); |
|
89 ! redir_stack[need_here_doc++] = $$; |
|
90 } |
|
91 | LESS_LESS_MINUS WORD |
|
92 --- 536,540 ---- |
|
93 redir.filename = $3; |
|
94 $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN); |
|
95 ! push_heredoc ($$); |
|
96 } |
|
97 | LESS_LESS_MINUS WORD |
|
98 *************** |
|
99 *** 538,542 **** |
|
100 redir.filename = $2; |
|
101 $$ = make_redirection (source, r_deblank_reading_until, redir, 0); |
|
102 ! redir_stack[need_here_doc++] = $$; |
|
103 } |
|
104 | NUMBER LESS_LESS_MINUS WORD |
|
105 --- 543,547 ---- |
|
106 redir.filename = $2; |
|
107 $$ = make_redirection (source, r_deblank_reading_until, redir, 0); |
|
108 ! push_heredoc ($$); |
|
109 } |
|
110 | NUMBER LESS_LESS_MINUS WORD |
|
111 *************** |
|
112 *** 545,549 **** |
|
113 redir.filename = $3; |
|
114 $$ = make_redirection (source, r_deblank_reading_until, redir, 0); |
|
115 ! redir_stack[need_here_doc++] = $$; |
|
116 } |
|
117 | REDIR_WORD LESS_LESS_MINUS WORD |
|
118 --- 550,554 ---- |
|
119 redir.filename = $3; |
|
120 $$ = make_redirection (source, r_deblank_reading_until, redir, 0); |
|
121 ! push_heredoc ($$); |
|
122 } |
|
123 | REDIR_WORD LESS_LESS_MINUS WORD |
|
124 *************** |
|
125 *** 552,556 **** |
|
126 redir.filename = $3; |
|
127 $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN); |
|
128 ! redir_stack[need_here_doc++] = $$; |
|
129 } |
|
130 | LESS_LESS_LESS WORD |
|
131 --- 557,561 ---- |
|
132 redir.filename = $3; |
|
133 $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN); |
|
134 ! push_heredoc ($$); |
|
135 } |
|
136 | LESS_LESS_LESS WORD |
|
137 *************** |
|
138 *** 2508,2511 **** |
|
139 --- 2513,2531 ---- |
|
140 static int esacs_needed_count; |
|
141 |
|
142 + static void |
|
143 + push_heredoc (r) |
|
144 + REDIRECT *r; |
|
145 + { |
|
146 + if (need_here_doc >= HEREDOC_MAX) |
|
147 + { |
|
148 + last_command_exit_value = EX_BADUSAGE; |
|
149 + need_here_doc = 0; |
|
150 + report_syntax_error (_("maximum here-document count exceeded")); |
|
151 + reset_parser (); |
|
152 + exit_shell (last_command_exit_value); |
|
153 + } |
|
154 + redir_stack[need_here_doc++] = r; |
|
155 + } |
|
156 + |
|
157 void |
|
158 gather_here_documents () |
|
159 *** ../bash-4.1-patched/patchlevel.h 2009-10-01 16:39:22.000000000 -0400 |
|
160 --- patchlevel.h 2010-01-14 09:38:08.000000000 -0500 |
|
161 *************** |
|
162 *** 26,30 **** |
|
163 looks for to find the patch level (for the sccs version string). */ |
|
164 |
|
165 ! #define PATCHLEVEL 14 |
|
166 |
|
167 #endif /* _PATCHLEVEL_H_ */ |
|
168 --- 26,30 ---- |
|
169 looks for to find the patch level (for the sccs version string). */ |
|
170 |
|
171 ! #define PATCHLEVEL 15 |
|
172 |
|
173 #endif /* _PATCHLEVEL_H_ */ |
|