|
1 # Patch Origin: http://www.openwall.com/lists/oss-security/2014/09/26/2 |
|
2 # Patch is from Red Hat Security. |
|
3 # Assigned CVE-2014-7186 and CVE-2014-7187 |
|
4 # CVSS Score: 4.6 |
|
5 --- ../bash-4.1.orig/parse.y 2014-09-25 08:10:49.809021000 -0700 |
|
6 +++ parse.y 2014-09-25 11:33:15.596573700 -0700 |
|
7 @@ -261,9 +261,21 @@ |
|
8 |
|
9 /* Variables to manage the task of reading here documents, because we need to |
|
10 defer the reading until after a complete command has been collected. */ |
|
11 -static REDIRECT *redir_stack[10]; |
|
12 +static REDIRECT **redir_stack; |
|
13 int need_here_doc; |
|
14 |
|
15 +/* Pushes REDIR onto redir_stack, resizing it as needed. */ |
|
16 +static void |
|
17 +push_redir_stack (REDIRECT *redir) |
|
18 +{ |
|
19 + /* Guard against oveflow. */ |
|
20 + if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack)) |
|
21 + abort (); |
|
22 + redir_stack = xrealloc (redir_stack, |
|
23 + (need_here_doc + 1) * sizeof (*redir_stack)); |
|
24 + redir_stack[need_here_doc++] = redir; |
|
25 +} |
|
26 + |
|
27 /* Where shell input comes from. History expansion is performed on each |
|
28 line when the shell is interactive. */ |
|
29 static char *shell_input_line = (char *)NULL; |
|
30 @@ -516,42 +528,42 @@ |
|
31 source.dest = 0; |
|
32 redir.filename = $2; |
|
33 $$ = make_redirection (source, r_reading_until, redir, 0); |
|
34 - redir_stack[need_here_doc++] = $$; |
|
35 + push_redir_stack ($$); |
|
36 } |
|
37 | NUMBER LESS_LESS WORD |
|
38 { |
|
39 source.dest = $1; |
|
40 redir.filename = $3; |
|
41 $$ = make_redirection (source, r_reading_until, redir, 0); |
|
42 - redir_stack[need_here_doc++] = $$; |
|
43 + push_redir_stack ($$); |
|
44 } |
|
45 | REDIR_WORD LESS_LESS WORD |
|
46 { |
|
47 source.filename = $1; |
|
48 redir.filename = $3; |
|
49 $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN); |
|
50 - redir_stack[need_here_doc++] = $$; |
|
51 + push_redir_stack ($$); |
|
52 } |
|
53 | LESS_LESS_MINUS WORD |
|
54 { |
|
55 source.dest = 0; |
|
56 redir.filename = $2; |
|
57 $$ = make_redirection (source, r_deblank_reading_until, redir, 0); |
|
58 - redir_stack[need_here_doc++] = $$; |
|
59 + push_redir_stack ($$); |
|
60 } |
|
61 | NUMBER LESS_LESS_MINUS WORD |
|
62 { |
|
63 source.dest = $1; |
|
64 redir.filename = $3; |
|
65 $$ = make_redirection (source, r_deblank_reading_until, redir, 0); |
|
66 - redir_stack[need_here_doc++] = $$; |
|
67 + push_redir_stack ($$); |
|
68 } |
|
69 | REDIR_WORD LESS_LESS_MINUS WORD |
|
70 { |
|
71 source.filename = $1; |
|
72 redir.filename = $3; |
|
73 $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN); |
|
74 - redir_stack[need_here_doc++] = $$; |
|
75 + push_redir_stack ($$); |
|
76 } |
|
77 | LESS_LESS_LESS WORD |
|
78 { |
|
79 @@ -4677,7 +4689,7 @@ |
|
80 case CASE: |
|
81 case SELECT: |
|
82 case FOR: |
|
83 - if (word_top < MAX_CASE_NEST) |
|
84 + if ((word_top + 1) < MAX_CASE_NEST) |
|
85 word_top++; |
|
86 word_lineno[word_top] = line_number; |
|
87 break; |