rcolebaugh / rpms / bash

Forked from rpms/bash 2 years ago
Clone
462fb2
			     BASH PATCH REPORT
462fb2
			     =================
462fb2
462fb2
Bash-Release:	4.2
462fb2
Patch-ID:	bash42-044
462fb2
462fb2
Bug-Reported-by:	"Dashing" <dashing@hushmail.com>
462fb2
Bug-Reference-ID:	<20130211175049.D90786F446@smtp.hushmail.com>
462fb2
Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2013-02/msg00030.html
462fb2
462fb2
Bug-Description:
462fb2
462fb2
When converting a multibyte string to a wide character string as part of
462fb2
pattern matching, bash does not handle the end of the string correctly,
462fb2
causing the search for the NUL to go beyond the end of the string and
462fb2
reference random memory.  Depending on the contents of that memory, bash
462fb2
can produce errors or crash. 
462fb2
462fb2
Patch (apply with `patch -p0'):
462fb2
462fb2
*** ../bash-4.2-patched/lib/glob/xmbsrtowcs.c	2012-07-08 21:53:19.000000000 -0400
462fb2
--- lib/glob/xmbsrtowcs.c	2013-02-12 12:00:39.000000000 -0500
462fb2
***************
462fb2
*** 217,220 ****
462fb2
--- 217,226 ----
462fb2
        n = mbsnrtowcs(wsbuf+wcnum, &p, nms, wsbuf_size-wcnum, &state);
462fb2
  
462fb2
+       if (n == 0 && p == 0)
462fb2
+ 	{
462fb2
+ 	  wsbuf[wcnum] = L'\0';
462fb2
+ 	  break;
462fb2
+ 	}
462fb2
+ 
462fb2
        /* Compensate for taking single byte on wcs conversion failure above. */
462fb2
        if (wcslength == 1 && (n == 0 || n == (size_t)-1))
462fb2
***************
462fb2
*** 222,226 ****
462fb2
  	  state = tmp_state;
462fb2
  	  p = tmp_p;
462fb2
! 	  wsbuf[wcnum++] = *p++;
462fb2
  	}
462fb2
        else
462fb2
--- 228,238 ----
462fb2
  	  state = tmp_state;
462fb2
  	  p = tmp_p;
462fb2
! 	  wsbuf[wcnum] = *p;
462fb2
! 	  if (*p == 0)
462fb2
! 	    break;
462fb2
! 	  else
462fb2
! 	    {
462fb2
! 	      wcnum++; p++;
462fb2
! 	    }
462fb2
  	}
462fb2
        else
462fb2
462fb2
*** ../bash-4.2-patched/patchlevel.h	Sat Jun 12 20:14:48 2010
462fb2
--- patchlevel.h	Thu Feb 24 21:41:34 2011
462fb2
***************
462fb2
*** 26,30 ****
462fb2
     looks for to find the patch level (for the sccs version string). */
462fb2
  
462fb2
! #define PATCHLEVEL 43
462fb2
  
462fb2
  #endif /* _PATCHLEVEL_H_ */
462fb2
--- 26,30 ----
462fb2
     looks for to find the patch level (for the sccs version string). */
462fb2
  
462fb2
! #define PATCHLEVEL 44
462fb2
  
462fb2
  #endif /* _PATCHLEVEL_H_ */