nalika / rpms / bash

Forked from rpms/bash 2 years ago
Clone

Blame SOURCES/bash42-044

07a490
			     BASH PATCH REPORT
07a490
			     =================
07a490
07a490
Bash-Release:	4.2
07a490
Patch-ID:	bash42-044
07a490
07a490
Bug-Reported-by:	"Dashing" <dashing@hushmail.com>
07a490
Bug-Reference-ID:	<20130211175049.D90786F446@smtp.hushmail.com>
07a490
Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2013-02/msg00030.html
07a490
07a490
Bug-Description:
07a490
07a490
When converting a multibyte string to a wide character string as part of
07a490
pattern matching, bash does not handle the end of the string correctly,
07a490
causing the search for the NUL to go beyond the end of the string and
07a490
reference random memory.  Depending on the contents of that memory, bash
07a490
can produce errors or crash. 
07a490
07a490
Patch (apply with `patch -p0'):
07a490
07a490
*** ../bash-4.2-patched/lib/glob/xmbsrtowcs.c	2012-07-08 21:53:19.000000000 -0400
07a490
--- lib/glob/xmbsrtowcs.c	2013-02-12 12:00:39.000000000 -0500
07a490
***************
07a490
*** 217,220 ****
07a490
--- 217,226 ----
07a490
        n = mbsnrtowcs(wsbuf+wcnum, &p, nms, wsbuf_size-wcnum, &state);
07a490
  
07a490
+       if (n == 0 && p == 0)
07a490
+ 	{
07a490
+ 	  wsbuf[wcnum] = L'\0';
07a490
+ 	  break;
07a490
+ 	}
07a490
+ 
07a490
        /* Compensate for taking single byte on wcs conversion failure above. */
07a490
        if (wcslength == 1 && (n == 0 || n == (size_t)-1))
07a490
***************
07a490
*** 222,226 ****
07a490
  	  state = tmp_state;
07a490
  	  p = tmp_p;
07a490
! 	  wsbuf[wcnum++] = *p++;
07a490
  	}
07a490
        else
07a490
--- 228,238 ----
07a490
  	  state = tmp_state;
07a490
  	  p = tmp_p;
07a490
! 	  wsbuf[wcnum] = *p;
07a490
! 	  if (*p == 0)
07a490
! 	    break;
07a490
! 	  else
07a490
! 	    {
07a490
! 	      wcnum++; p++;
07a490
! 	    }
07a490
  	}
07a490
        else
07a490
07a490
*** ../bash-4.2-patched/patchlevel.h	Sat Jun 12 20:14:48 2010
07a490
--- patchlevel.h	Thu Feb 24 21:41:34 2011
07a490
***************
07a490
*** 26,30 ****
07a490
     looks for to find the patch level (for the sccs version string). */
07a490
  
07a490
! #define PATCHLEVEL 43
07a490
  
07a490
  #endif /* _PATCHLEVEL_H_ */
07a490
--- 26,30 ----
07a490
     looks for to find the patch level (for the sccs version string). */
07a490
  
07a490
! #define PATCHLEVEL 44
07a490
  
07a490
  #endif /* _PATCHLEVEL_H_ */