|
1 BASH PATCH REPORT |
|
2 ================= |
|
3 |
|
4 Bash-Release: 4.4 |
|
5 Patch-ID: bash44-006 |
|
6 |
|
7 Bug-Reported-by: <[email protected]> |
|
8 Bug-Reference-ID: <CAEr-gPFPvqheiAeENmMkEwWRd4U=1iqCsYmR3sLdULOqL++_tQ@mail.gmail.com> |
|
9 Bug-Reference-URL: |
|
10 |
|
11 Bug-Description: |
|
12 |
|
13 Out-of-range negative offsets to popd can cause the shell to crash attempting |
|
14 to free an invalid memory block. |
|
15 |
|
16 Patch (apply with `patch -p0'): |
|
17 |
|
18 *** ../bash-4.4-patched/builtins/pushd.def 2016-01-25 13:31:49.000000000 -0500 |
|
19 --- builtins/pushd.def 2016-10-28 10:46:49.000000000 -0400 |
|
20 *************** |
|
21 *** 366,370 **** |
|
22 } |
|
23 |
|
24 ! if (which > directory_list_offset || (directory_list_offset == 0 && which == 0)) |
|
25 { |
|
26 pushd_error (directory_list_offset, which_word ? which_word : ""); |
|
27 --- 366,370 ---- |
|
28 } |
|
29 |
|
30 ! if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && which == 0)) |
|
31 { |
|
32 pushd_error (directory_list_offset, which_word ? which_word : ""); |
|
33 *************** |
|
34 *** 388,391 **** |
|
35 --- 388,396 ---- |
|
36 of the list into place. */ |
|
37 i = (direction == '+') ? directory_list_offset - which : which; |
|
38 + if (i < 0 || i > directory_list_offset) |
|
39 + { |
|
40 + pushd_error (directory_list_offset, which_word ? which_word : ""); |
|
41 + return (EXECUTION_FAILURE); |
|
42 + } |
|
43 free (pushd_directory_list[i]); |
|
44 directory_list_offset--; |
|
45 *** ../bash-4.4/patchlevel.h 2016-06-22 14:51:03.000000000 -0400 |
|
46 --- patchlevel.h 2016-10-01 11:01:28.000000000 -0400 |
|
47 *************** |
|
48 *** 26,30 **** |
|
49 looks for to find the patch level (for the sccs version string). */ |
|
50 |
|
51 ! #define PATCHLEVEL 5 |
|
52 |
|
53 #endif /* _PATCHLEVEL_H_ */ |
|
54 --- 26,30 ---- |
|
55 looks for to find the patch level (for the sccs version string). */ |
|
56 |
|
57 ! #define PATCHLEVEL 6 |
|
58 |
|
59 #endif /* _PATCHLEVEL_H_ */ |