summaryrefslogtreecommitdiff
path: root/patches/source/bash/bash-4.1-patches/bash41-015
blob: c7af80f03fd450547821a057e143e34cb4ea8f16 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
			     BASH PATCH REPORT
			     =================

Bash-Release:	4.1
Patch-ID:	bash41-015

Bug-Reported-by:	Florian Weimer <fweimer@redhat.com>
Bug-Reference-ID:
Bug-Reference-URL:

Bug-Description:

There are two local buffer overflows in parse.y that can cause the shell
to dump core when given many here-documents attached to a single command
or many nested loops.

Patch (apply with `patch -p0'):

*** ../bash-4.1.14/parse.y	2014-09-27 12:18:25.000000000 -0400
--- parse.y	2014-09-30 19:36:03.000000000 -0400
***************
*** 168,171 ****
--- 168,174 ----
  static int reserved_word_acceptable __P((int));
  static int yylex __P((void));
+ 
+ static void push_heredoc __P((REDIRECT *));
+ static char *mk_alexpansion __P((char *));
  static int alias_expand_token __P((char *));
  static int time_command_acceptable __P((void));
***************
*** 262,266 ****
  /* Variables to manage the task of reading here documents, because we need to
     defer the reading until after a complete command has been collected. */
! static REDIRECT *redir_stack[10];
  int need_here_doc;
  
--- 265,271 ----
  /* Variables to manage the task of reading here documents, because we need to
     defer the reading until after a complete command has been collected. */
! #define HEREDOC_MAX 16
! 
! static REDIRECT *redir_stack[HEREDOC_MAX];
  int need_here_doc;
  
***************
*** 304,308 ****
     index is decremented after a case, select, or for command is parsed. */
  #define MAX_CASE_NEST	128
! static int word_lineno[MAX_CASE_NEST];
  static int word_top = -1;
  
--- 309,313 ----
     index is decremented after a case, select, or for command is parsed. */
  #define MAX_CASE_NEST	128
! static int word_lineno[MAX_CASE_NEST+1];
  static int word_top = -1;
  
***************
*** 517,521 ****
  			  redir.filename = $2;
  			  $$ = make_redirection (source, r_reading_until, redir, 0);
! 			  redir_stack[need_here_doc++] = $$;
  			}
  	|	NUMBER LESS_LESS WORD
--- 522,526 ----
  			  redir.filename = $2;
  			  $$ = make_redirection (source, r_reading_until, redir, 0);
! 			  push_heredoc ($$);
  			}
  	|	NUMBER LESS_LESS WORD
***************
*** 524,528 ****
  			  redir.filename = $3;
  			  $$ = make_redirection (source, r_reading_until, redir, 0);
! 			  redir_stack[need_here_doc++] = $$;
  			}
  	|	REDIR_WORD LESS_LESS WORD
--- 529,533 ----
  			  redir.filename = $3;
  			  $$ = make_redirection (source, r_reading_until, redir, 0);
! 			  push_heredoc ($$);
  			}
  	|	REDIR_WORD LESS_LESS WORD
***************
*** 531,535 ****
  			  redir.filename = $3;
  			  $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
! 			  redir_stack[need_here_doc++] = $$;
  			}
  	|	LESS_LESS_MINUS WORD
--- 536,540 ----
  			  redir.filename = $3;
  			  $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
! 			  push_heredoc ($$);
  			}
  	|	LESS_LESS_MINUS WORD
***************
*** 538,542 ****
  			  redir.filename = $2;
  			  $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
! 			  redir_stack[need_here_doc++] = $$;
  			}
  	|	NUMBER LESS_LESS_MINUS WORD
--- 543,547 ----
  			  redir.filename = $2;
  			  $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
! 			  push_heredoc ($$);
  			}
  	|	NUMBER LESS_LESS_MINUS WORD
***************
*** 545,549 ****
  			  redir.filename = $3;
  			  $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
! 			  redir_stack[need_here_doc++] = $$;
  			}
  	|	REDIR_WORD  LESS_LESS_MINUS WORD
--- 550,554 ----
  			  redir.filename = $3;
  			  $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
! 			  push_heredoc ($$);
  			}
  	|	REDIR_WORD  LESS_LESS_MINUS WORD
***************
*** 552,556 ****
  			  redir.filename = $3;
  			  $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
! 			  redir_stack[need_here_doc++] = $$;
  			}
  	|	LESS_LESS_LESS WORD
--- 557,561 ----
  			  redir.filename = $3;
  			  $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
! 			  push_heredoc ($$);
  			}
  	|	LESS_LESS_LESS WORD
***************
*** 2508,2511 ****
--- 2513,2531 ----
  static int esacs_needed_count;
  
+ static void
+ push_heredoc (r)
+      REDIRECT *r;
+ {
+   if (need_here_doc >= HEREDOC_MAX)
+     {
+       last_command_exit_value = EX_BADUSAGE;
+       need_here_doc = 0;
+       report_syntax_error (_("maximum here-document count exceeded"));
+       reset_parser ();
+       exit_shell (last_command_exit_value);
+     }
+   redir_stack[need_here_doc++] = r;
+ }
+ 
  void
  gather_here_documents ()
*** ../bash-4.1-patched/patchlevel.h	2009-10-01 16:39:22.000000000 -0400
--- patchlevel.h	2010-01-14 09:38:08.000000000 -0500
***************
*** 26,30 ****
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 14
  
  #endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 15
  
  #endif /* _PATCHLEVEL_H_ */