Annotation of /updates/infra_2/bash/current/SOURCES/bash42-051

                             BASH PATCH REPORT
                             =================

Bash-Release:   4.2
Patch-ID:       bash42-051

Bug-Reported-by:        Florian Weimer <fweimer@redhat.com>
Bug-Reference-ID:
Bug-Reference-URL:

Bug-Description:

There are two local buffer overflows in parse.y that can cause the shell
to dump core when given many here-documents attached to a single command
or many nested loops.

Patch (apply with `patch -p0'):

*** ../bash-4.2.50/parse.y      2014-09-27 12:18:53.000000000 -0400
--- parse.y     2014-09-30 19:24:19.000000000 -0400
***************
*** 168,171 ****
--- 168,174 ----
  static int reserved_word_acceptable __P((int));
  static int yylex __P((void));
+ 
+ static void push_heredoc __P((REDIRECT *));
+ static char *mk_alexpansion __P((char *));
  static int alias_expand_token __P((char *));
  static int time_command_acceptable __P((void));
***************
*** 265,269 ****
  /* Variables to manage the task of reading here documents, because we need to
     defer the reading until after a complete command has been collected. */
! static REDIRECT *redir_stack[10];
  int need_here_doc;
  
--- 268,274 ----
  /* Variables to manage the task of reading here documents, because we need to
     defer the reading until after a complete command has been collected. */
! #define HEREDOC_MAX 16
! 
! static REDIRECT *redir_stack[HEREDOC_MAX];
  int need_here_doc;
  
***************
*** 307,311 ****
     index is decremented after a case, select, or for command is parsed. */
  #define MAX_CASE_NEST 128
! static int word_lineno[MAX_CASE_NEST];
  static int word_top = -1;
  
--- 312,316 ----
     index is decremented after a case, select, or for command is parsed. */
  #define MAX_CASE_NEST 128
! static int word_lineno[MAX_CASE_NEST+1];
  static int word_top = -1;
  
***************
*** 520,524 ****
                          redir.filename = $2;
                          $$ = make_redirection (source, r_reading_until, redir, 0);
!                         redir_stack[need_here_doc++] = $$;
                        }
        |       NUMBER LESS_LESS WORD
--- 525,529 ----
                          redir.filename = $2;
                          $$ = make_redirection (source, r_reading_until, redir, 0);
!                         push_heredoc ($$);
                        }
        |       NUMBER LESS_LESS WORD
***************
*** 527,531 ****
                          redir.filename = $3;
                          $$ = make_redirection (source, r_reading_until, redir, 0);
!                         redir_stack[need_here_doc++] = $$;
                        }
        |       REDIR_WORD LESS_LESS WORD
--- 532,536 ----
                          redir.filename = $3;
                          $$ = make_redirection (source, r_reading_until, redir, 0);
!                         push_heredoc ($$);
                        }
        |       REDIR_WORD LESS_LESS WORD
***************
*** 534,538 ****
                          redir.filename = $3;
                          $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
!                         redir_stack[need_here_doc++] = $$;
                        }
        |       LESS_LESS_MINUS WORD
--- 539,543 ----
                          redir.filename = $3;
                          $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
!                         push_heredoc ($$);
                        }
        |       LESS_LESS_MINUS WORD
***************
*** 541,545 ****
                          redir.filename = $2;
                          $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
!                         redir_stack[need_here_doc++] = $$;
                        }
        |       NUMBER LESS_LESS_MINUS WORD
--- 546,550 ----
                          redir.filename = $2;
                          $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
!                         push_heredoc ($$);
                        }
        |       NUMBER LESS_LESS_MINUS WORD
***************
*** 548,552 ****
                          redir.filename = $3;
                          $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
!                         redir_stack[need_here_doc++] = $$;
                        }
        |       REDIR_WORD  LESS_LESS_MINUS WORD
--- 553,557 ----
                          redir.filename = $3;
                          $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
!                         push_heredoc ($$);
                        }
        |       REDIR_WORD  LESS_LESS_MINUS WORD
***************
*** 555,559 ****
                          redir.filename = $3;
                          $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
!                         redir_stack[need_here_doc++] = $$;
                        }
        |       LESS_LESS_LESS WORD
--- 560,564 ----
                          redir.filename = $3;
                          $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
!                         push_heredoc ($$);
                        }
        |       LESS_LESS_LESS WORD
***************
*** 2534,2537 ****
--- 2539,2557 ----
  static int esacs_needed_count;
  
+ static void
+ push_heredoc (r)
+      REDIRECT *r;
+ {
+   if (need_here_doc >= HEREDOC_MAX)
+     {
+       last_command_exit_value = EX_BADUSAGE;
+       need_here_doc = 0;
+       report_syntax_error (_("maximum here-document count exceeded"));
+       reset_parser ();
+       exit_shell (last_command_exit_value);
+     }
+   redir_stack[need_here_doc++] = r;
+ }
+ 
  void
  gather_here_documents ()
*** ../bash-4.2-patched/patchlevel.h    Sat Jun 12 20:14:48 2010
--- patchlevel.h        Thu Feb 24 21:41:34 2011
***************
*** 26,30 ****
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 50
  
  #endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 51
  
  #endif /* _PATCHLEVEL_H_ */
1	tmb	737739	BASH PATCH REPORT
2			=================
3
4			Bash-Release: 4.2
5			Patch-ID: bash42-051
6
7			Bug-Reported-by: Florian Weimer <fweimer@redhat.com>
8			Bug-Reference-ID:
9			Bug-Reference-URL:
10
11			Bug-Description:
12
13			There are two local buffer overflows in parse.y that can cause the shell
14			to dump core when given many here-documents attached to a single command
15			or many nested loops.
16
17			Patch (apply with `patch -p0'):
18
19			*** ../bash-4.2.50/parse.y 2014-09-27 12:18:53.000000000 -0400
20			--- parse.y 2014-09-30 19:24:19.000000000 -0400
21			***************
22			* 168,171 **
23			--- 168,174 ----
24			static int reserved_word_acceptable __P((int));
25			static int yylex __P((void));
26			+
27			+ static void push_heredoc __P((REDIRECT *));
28			+ static char mk_alexpansion __P((char ));
29			static int alias_expand_token __P((char *));
30			static int time_command_acceptable __P((void));
31			***************
32			* 265,269 **
33			/* Variables to manage the task of reading here documents, because we need to
34			defer the reading until after a complete command has been collected. */
35			! static REDIRECT *redir_stack[10];
36			int need_here_doc;
37
38			--- 268,274 ----
39			/* Variables to manage the task of reading here documents, because we need to
40			defer the reading until after a complete command has been collected. */
41			! #define HEREDOC_MAX 16
42			!
43			! static REDIRECT *redir_stack[HEREDOC_MAX];
44			int need_here_doc;
45
46			***************
47			* 307,311 **
48			index is decremented after a case, select, or for command is parsed. */
49			#define MAX_CASE_NEST 128
50			! static int word_lineno[MAX_CASE_NEST];
51			static int word_top = -1;
52
53			--- 312,316 ----
54			index is decremented after a case, select, or for command is parsed. */
55			#define MAX_CASE_NEST 128
56			! static int word_lineno[MAX_CASE_NEST+1];
57			static int word_top = -1;
58
59			***************
60			* 520,524 **
61			redir.filename = $2;
62			$$ = make_redirection (source, r_reading_until, redir, 0);
63			! redir_stack[need_here_doc++] = $$;
64			}
65			\| NUMBER LESS_LESS WORD
66			--- 525,529 ----
67			redir.filename = $2;
68			$$ = make_redirection (source, r_reading_until, redir, 0);
69			! push_heredoc ($$);
70			}
71			\| NUMBER LESS_LESS WORD
72			***************
73			* 527,531 **
74			redir.filename = $3;
75			$$ = make_redirection (source, r_reading_until, redir, 0);
76			! redir_stack[need_here_doc++] = $$;
77			}
78			\| REDIR_WORD LESS_LESS WORD
79			--- 532,536 ----
80			redir.filename = $3;
81			$$ = make_redirection (source, r_reading_until, redir, 0);
82			! push_heredoc ($$);
83			}
84			\| REDIR_WORD LESS_LESS WORD
85			***************
86			* 534,538 **
87			redir.filename = $3;
88			$$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
89			! redir_stack[need_here_doc++] = $$;
90			}
91			\| LESS_LESS_MINUS WORD
92			--- 539,543 ----
93			redir.filename = $3;
94			$$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
95			! push_heredoc ($$);
96			}
97			\| LESS_LESS_MINUS WORD
98			***************
99			* 541,545 **
100			redir.filename = $2;
101			$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
102			! redir_stack[need_here_doc++] = $$;
103			}
104			\| NUMBER LESS_LESS_MINUS WORD
105			--- 546,550 ----
106			redir.filename = $2;
107			$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
108			! push_heredoc ($$);
109			}
110			\| NUMBER LESS_LESS_MINUS WORD
111			***************
112			* 548,552 **
113			redir.filename = $3;
114			$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
115			! redir_stack[need_here_doc++] = $$;
116			}
117			\| REDIR_WORD LESS_LESS_MINUS WORD
118			--- 553,557 ----
119			redir.filename = $3;
120			$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
121			! push_heredoc ($$);
122			}
123			\| REDIR_WORD LESS_LESS_MINUS WORD
124			***************
125			* 555,559 **
126			redir.filename = $3;
127			$$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
128			! redir_stack[need_here_doc++] = $$;
129			}
130			\| LESS_LESS_LESS WORD
131			--- 560,564 ----
132			redir.filename = $3;
133			$$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
134			! push_heredoc ($$);
135			}
136			\| LESS_LESS_LESS WORD
137			***************
138			* 2534,2537 **
139			--- 2539,2557 ----
140			static int esacs_needed_count;
141
142			+ static void
143			+ push_heredoc (r)
144			+ REDIRECT *r;
145			+ {
146			+ if (need_here_doc >= HEREDOC_MAX)
147			+ {
148			+ last_command_exit_value = EX_BADUSAGE;
149			+ need_here_doc = 0;
150			+ report_syntax_error (_("maximum here-document count exceeded"));
151			+ reset_parser ();
152			+ exit_shell (last_command_exit_value);
153			+ }
154			+ redir_stack[need_here_doc++] = r;
155			+ }
156			+
157			void
158			gather_here_documents ()
159			*** ../bash-4.2-patched/patchlevel.h Sat Jun 12 20:14:48 2010
160			--- patchlevel.h Thu Feb 24 21:41:34 2011
161			***************
162			* 26,30 **
163			looks for to find the patch level (for the sccs version string). */
164
165			! #define PATCHLEVEL 50
166
167			#endif /* _PATCHLEVEL_H_ */
168			--- 26,30 ----
169			looks for to find the patch level (for the sccs version string). */
170
171			! #define PATCHLEVEL 51
172
173			#endif /* _PATCHLEVEL_H_ */