1 |
tmb |
737739 |
BASH PATCH REPORT |
2 |
|
|
================= |
3 |
|
|
|
4 |
|
|
Bash-Release: 4.2 |
5 |
|
|
Patch-ID: bash42-051 |
6 |
|
|
|
7 |
|
|
Bug-Reported-by: Florian Weimer <fweimer@redhat.com> |
8 |
|
|
Bug-Reference-ID: |
9 |
|
|
Bug-Reference-URL: |
10 |
|
|
|
11 |
|
|
Bug-Description: |
12 |
|
|
|
13 |
|
|
There are two local buffer overflows in parse.y that can cause the shell |
14 |
|
|
to dump core when given many here-documents attached to a single command |
15 |
|
|
or many nested loops. |
16 |
|
|
|
17 |
|
|
Patch (apply with `patch -p0'): |
18 |
|
|
|
19 |
|
|
*** ../bash-4.2.50/parse.y 2014-09-27 12:18:53.000000000 -0400 |
20 |
|
|
--- parse.y 2014-09-30 19:24:19.000000000 -0400 |
21 |
|
|
*************** |
22 |
|
|
*** 168,171 **** |
23 |
|
|
--- 168,174 ---- |
24 |
|
|
static int reserved_word_acceptable __P((int)); |
25 |
|
|
static int yylex __P((void)); |
26 |
|
|
+ |
27 |
|
|
+ static void push_heredoc __P((REDIRECT *)); |
28 |
|
|
+ static char *mk_alexpansion __P((char *)); |
29 |
|
|
static int alias_expand_token __P((char *)); |
30 |
|
|
static int time_command_acceptable __P((void)); |
31 |
|
|
*************** |
32 |
|
|
*** 265,269 **** |
33 |
|
|
/* Variables to manage the task of reading here documents, because we need to |
34 |
|
|
defer the reading until after a complete command has been collected. */ |
35 |
|
|
! static REDIRECT *redir_stack[10]; |
36 |
|
|
int need_here_doc; |
37 |
|
|
|
38 |
|
|
--- 268,274 ---- |
39 |
|
|
/* Variables to manage the task of reading here documents, because we need to |
40 |
|
|
defer the reading until after a complete command has been collected. */ |
41 |
|
|
! #define HEREDOC_MAX 16 |
42 |
|
|
! |
43 |
|
|
! static REDIRECT *redir_stack[HEREDOC_MAX]; |
44 |
|
|
int need_here_doc; |
45 |
|
|
|
46 |
|
|
*************** |
47 |
|
|
*** 307,311 **** |
48 |
|
|
index is decremented after a case, select, or for command is parsed. */ |
49 |
|
|
#define MAX_CASE_NEST 128 |
50 |
|
|
! static int word_lineno[MAX_CASE_NEST]; |
51 |
|
|
static int word_top = -1; |
52 |
|
|
|
53 |
|
|
--- 312,316 ---- |
54 |
|
|
index is decremented after a case, select, or for command is parsed. */ |
55 |
|
|
#define MAX_CASE_NEST 128 |
56 |
|
|
! static int word_lineno[MAX_CASE_NEST+1]; |
57 |
|
|
static int word_top = -1; |
58 |
|
|
|
59 |
|
|
*************** |
60 |
|
|
*** 520,524 **** |
61 |
|
|
redir.filename = $2; |
62 |
|
|
$$ = make_redirection (source, r_reading_until, redir, 0); |
63 |
|
|
! redir_stack[need_here_doc++] = $$; |
64 |
|
|
} |
65 |
|
|
| NUMBER LESS_LESS WORD |
66 |
|
|
--- 525,529 ---- |
67 |
|
|
redir.filename = $2; |
68 |
|
|
$$ = make_redirection (source, r_reading_until, redir, 0); |
69 |
|
|
! push_heredoc ($$); |
70 |
|
|
} |
71 |
|
|
| NUMBER LESS_LESS WORD |
72 |
|
|
*************** |
73 |
|
|
*** 527,531 **** |
74 |
|
|
redir.filename = $3; |
75 |
|
|
$$ = make_redirection (source, r_reading_until, redir, 0); |
76 |
|
|
! redir_stack[need_here_doc++] = $$; |
77 |
|
|
} |
78 |
|
|
| REDIR_WORD LESS_LESS WORD |
79 |
|
|
--- 532,536 ---- |
80 |
|
|
redir.filename = $3; |
81 |
|
|
$$ = make_redirection (source, r_reading_until, redir, 0); |
82 |
|
|
! push_heredoc ($$); |
83 |
|
|
} |
84 |
|
|
| REDIR_WORD LESS_LESS WORD |
85 |
|
|
*************** |
86 |
|
|
*** 534,538 **** |
87 |
|
|
redir.filename = $3; |
88 |
|
|
$$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN); |
89 |
|
|
! redir_stack[need_here_doc++] = $$; |
90 |
|
|
} |
91 |
|
|
| LESS_LESS_MINUS WORD |
92 |
|
|
--- 539,543 ---- |
93 |
|
|
redir.filename = $3; |
94 |
|
|
$$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN); |
95 |
|
|
! push_heredoc ($$); |
96 |
|
|
} |
97 |
|
|
| LESS_LESS_MINUS WORD |
98 |
|
|
*************** |
99 |
|
|
*** 541,545 **** |
100 |
|
|
redir.filename = $2; |
101 |
|
|
$$ = make_redirection (source, r_deblank_reading_until, redir, 0); |
102 |
|
|
! redir_stack[need_here_doc++] = $$; |
103 |
|
|
} |
104 |
|
|
| NUMBER LESS_LESS_MINUS WORD |
105 |
|
|
--- 546,550 ---- |
106 |
|
|
redir.filename = $2; |
107 |
|
|
$$ = make_redirection (source, r_deblank_reading_until, redir, 0); |
108 |
|
|
! push_heredoc ($$); |
109 |
|
|
} |
110 |
|
|
| NUMBER LESS_LESS_MINUS WORD |
111 |
|
|
*************** |
112 |
|
|
*** 548,552 **** |
113 |
|
|
redir.filename = $3; |
114 |
|
|
$$ = make_redirection (source, r_deblank_reading_until, redir, 0); |
115 |
|
|
! redir_stack[need_here_doc++] = $$; |
116 |
|
|
} |
117 |
|
|
| REDIR_WORD LESS_LESS_MINUS WORD |
118 |
|
|
--- 553,557 ---- |
119 |
|
|
redir.filename = $3; |
120 |
|
|
$$ = make_redirection (source, r_deblank_reading_until, redir, 0); |
121 |
|
|
! push_heredoc ($$); |
122 |
|
|
} |
123 |
|
|
| REDIR_WORD LESS_LESS_MINUS WORD |
124 |
|
|
*************** |
125 |
|
|
*** 555,559 **** |
126 |
|
|
redir.filename = $3; |
127 |
|
|
$$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN); |
128 |
|
|
! redir_stack[need_here_doc++] = $$; |
129 |
|
|
} |
130 |
|
|
| LESS_LESS_LESS WORD |
131 |
|
|
--- 560,564 ---- |
132 |
|
|
redir.filename = $3; |
133 |
|
|
$$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN); |
134 |
|
|
! push_heredoc ($$); |
135 |
|
|
} |
136 |
|
|
| LESS_LESS_LESS WORD |
137 |
|
|
*************** |
138 |
|
|
*** 2534,2537 **** |
139 |
|
|
--- 2539,2557 ---- |
140 |
|
|
static int esacs_needed_count; |
141 |
|
|
|
142 |
|
|
+ static void |
143 |
|
|
+ push_heredoc (r) |
144 |
|
|
+ REDIRECT *r; |
145 |
|
|
+ { |
146 |
|
|
+ if (need_here_doc >= HEREDOC_MAX) |
147 |
|
|
+ { |
148 |
|
|
+ last_command_exit_value = EX_BADUSAGE; |
149 |
|
|
+ need_here_doc = 0; |
150 |
|
|
+ report_syntax_error (_("maximum here-document count exceeded")); |
151 |
|
|
+ reset_parser (); |
152 |
|
|
+ exit_shell (last_command_exit_value); |
153 |
|
|
+ } |
154 |
|
|
+ redir_stack[need_here_doc++] = r; |
155 |
|
|
+ } |
156 |
|
|
+ |
157 |
|
|
void |
158 |
|
|
gather_here_documents () |
159 |
|
|
*** ../bash-4.2-patched/patchlevel.h Sat Jun 12 20:14:48 2010 |
160 |
|
|
--- patchlevel.h Thu Feb 24 21:41:34 2011 |
161 |
|
|
*************** |
162 |
|
|
*** 26,30 **** |
163 |
|
|
looks for to find the patch level (for the sccs version string). */ |
164 |
|
|
|
165 |
|
|
! #define PATCHLEVEL 50 |
166 |
|
|
|
167 |
|
|
#endif /* _PATCHLEVEL_H_ */ |
168 |
|
|
--- 26,30 ---- |
169 |
|
|
looks for to find the patch level (for the sccs version string). */ |
170 |
|
|
|
171 |
|
|
! #define PATCHLEVEL 51 |
172 |
|
|
|
173 |
|
|
#endif /* _PATCHLEVEL_H_ */ |