|
|
462fb2 |
BASH PATCH REPORT
|
|
|
462fb2 |
=================
|
|
|
462fb2 |
|
|
|
462fb2 |
Bash-Release: 4.2
|
|
|
462fb2 |
Patch-ID: bash42-044
|
|
|
462fb2 |
|
|
|
462fb2 |
Bug-Reported-by: "Dashing" <dashing@hushmail.com>
|
|
|
462fb2 |
Bug-Reference-ID: <20130211175049.D90786F446@smtp.hushmail.com>
|
|
|
462fb2 |
Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2013-02/msg00030.html
|
|
|
462fb2 |
|
|
|
462fb2 |
Bug-Description:
|
|
|
462fb2 |
|
|
|
462fb2 |
When converting a multibyte string to a wide character string as part of
|
|
|
462fb2 |
pattern matching, bash does not handle the end of the string correctly,
|
|
|
462fb2 |
causing the search for the NUL to go beyond the end of the string and
|
|
|
462fb2 |
reference random memory. Depending on the contents of that memory, bash
|
|
|
462fb2 |
can produce errors or crash.
|
|
|
462fb2 |
|
|
|
462fb2 |
Patch (apply with `patch -p0'):
|
|
|
462fb2 |
|
|
|
462fb2 |
*** ../bash-4.2-patched/lib/glob/xmbsrtowcs.c 2012-07-08 21:53:19.000000000 -0400
|
|
|
462fb2 |
--- lib/glob/xmbsrtowcs.c 2013-02-12 12:00:39.000000000 -0500
|
|
|
462fb2 |
***************
|
|
|
462fb2 |
*** 217,220 ****
|
|
|
462fb2 |
--- 217,226 ----
|
|
|
462fb2 |
n = mbsnrtowcs(wsbuf+wcnum, &p, nms, wsbuf_size-wcnum, &state);
|
|
|
462fb2 |
|
|
|
462fb2 |
+ if (n == 0 && p == 0)
|
|
|
462fb2 |
+ {
|
|
|
462fb2 |
+ wsbuf[wcnum] = L'\0';
|
|
|
462fb2 |
+ break;
|
|
|
462fb2 |
+ }
|
|
|
462fb2 |
+
|
|
|
462fb2 |
/* Compensate for taking single byte on wcs conversion failure above. */
|
|
|
462fb2 |
if (wcslength == 1 && (n == 0 || n == (size_t)-1))
|
|
|
462fb2 |
***************
|
|
|
462fb2 |
*** 222,226 ****
|
|
|
462fb2 |
state = tmp_state;
|
|
|
462fb2 |
p = tmp_p;
|
|
|
462fb2 |
! wsbuf[wcnum++] = *p++;
|
|
|
462fb2 |
}
|
|
|
462fb2 |
else
|
|
|
462fb2 |
--- 228,238 ----
|
|
|
462fb2 |
state = tmp_state;
|
|
|
462fb2 |
p = tmp_p;
|
|
|
462fb2 |
! wsbuf[wcnum] = *p;
|
|
|
462fb2 |
! if (*p == 0)
|
|
|
462fb2 |
! break;
|
|
|
462fb2 |
! else
|
|
|
462fb2 |
! {
|
|
|
462fb2 |
! wcnum++; p++;
|
|
|
462fb2 |
! }
|
|
|
462fb2 |
}
|
|
|
462fb2 |
else
|
|
|
462fb2 |
|
|
|
462fb2 |
*** ../bash-4.2-patched/patchlevel.h Sat Jun 12 20:14:48 2010
|
|
|
462fb2 |
--- patchlevel.h Thu Feb 24 21:41:34 2011
|
|
|
462fb2 |
***************
|
|
|
462fb2 |
*** 26,30 ****
|
|
|
462fb2 |
looks for to find the patch level (for the sccs version string). */
|
|
|
462fb2 |
|
|
|
462fb2 |
! #define PATCHLEVEL 43
|
|
|
462fb2 |
|
|
|
462fb2 |
#endif /* _PATCHLEVEL_H_ */
|
|
|
462fb2 |
--- 26,30 ----
|
|
|
462fb2 |
looks for to find the patch level (for the sccs version string). */
|
|
|
462fb2 |
|
|
|
462fb2 |
! #define PATCHLEVEL 44
|
|
|
462fb2 |
|
|
|
462fb2 |
#endif /* _PATCHLEVEL_H_ */
|