Blame SOURCES/bash-cve-2016-9401.patch

a01f16
diff --git a/builtins/pushd.def b/builtins/pushd.def
a01f16
index 05b7529..4eb0132 100644
a01f16
--- a/builtins/pushd.def
a01f16
+++ b/builtins/pushd.def
a01f16
@@ -353,7 +353,7 @@ popd_builtin (list)
a01f16
 	break;
a01f16
     }
a01f16
 
a01f16
-  if (which > directory_list_offset || (directory_list_offset == 0 && which == 0))
a01f16
+  if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && which == 0))
a01f16
     {
a01f16
       pushd_error (directory_list_offset, which_word ? which_word : "");
a01f16
       return (EXECUTION_FAILURE);
a01f16
@@ -375,6 +375,11 @@ popd_builtin (list)
a01f16
 	 remove that directory from the list and shift the remainder
a01f16
 	 of the list into place. */
a01f16
       i = (direction == '+') ? directory_list_offset - which : which;
a01f16
+      if (i < 0 || i > directory_list_offset)
a01f16
+	{
a01f16
+	  pushd_error (directory_list_offset, which_word ? which_word : "");
a01f16
+	  return (EXECUTION_FAILURE);
a01f16
+	}
a01f16
       free (pushd_directory_list[i]);
a01f16
       directory_list_offset--;
a01f16
 
a01f16
-- 
a01f16
2.9.3
a01f16