Contents of /updates/infra_2/bash/current/SOURCES/bash42-051

                             BASH PATCH REPORT
                             =================

Bash-Release:   4.2
Patch-ID:       bash42-051

Bug-Reported-by:        Florian Weimer <fweimer@redhat.com>
Bug-Reference-ID:
Bug-Reference-URL:

Bug-Description:

There are two local buffer overflows in parse.y that can cause the shell
to dump core when given many here-documents attached to a single command
or many nested loops.

Patch (apply with `patch -p0'):

*** ../bash-4.2.50/parse.y      2014-09-27 12:18:53.000000000 -0400
--- parse.y     2014-09-30 19:24:19.000000000 -0400
***************
*** 168,171 ****
--- 168,174 ----
  static int reserved_word_acceptable __P((int));
  static int yylex __P((void));
+ 
+ static void push_heredoc __P((REDIRECT *));
+ static char *mk_alexpansion __P((char *));
  static int alias_expand_token __P((char *));
  static int time_command_acceptable __P((void));
***************
*** 265,269 ****
  /* Variables to manage the task of reading here documents, because we need to
     defer the reading until after a complete command has been collected. */
! static REDIRECT *redir_stack[10];
  int need_here_doc;
  
--- 268,274 ----
  /* Variables to manage the task of reading here documents, because we need to
     defer the reading until after a complete command has been collected. */
! #define HEREDOC_MAX 16
! 
! static REDIRECT *redir_stack[HEREDOC_MAX];
  int need_here_doc;
  
***************
*** 307,311 ****
     index is decremented after a case, select, or for command is parsed. */
  #define MAX_CASE_NEST 128
! static int word_lineno[MAX_CASE_NEST];
  static int word_top = -1;
  
--- 312,316 ----
     index is decremented after a case, select, or for command is parsed. */
  #define MAX_CASE_NEST 128
! static int word_lineno[MAX_CASE_NEST+1];
  static int word_top = -1;
  
***************
*** 520,524 ****
                          redir.filename = $2;
                          $$ = make_redirection (source, r_reading_until, redir, 0);
!                         redir_stack[need_here_doc++] = $$;
                        }
        |       NUMBER LESS_LESS WORD
--- 525,529 ----
                          redir.filename = $2;
                          $$ = make_redirection (source, r_reading_until, redir, 0);
!                         push_heredoc ($$);
                        }
        |       NUMBER LESS_LESS WORD
***************
*** 527,531 ****
                          redir.filename = $3;
                          $$ = make_redirection (source, r_reading_until, redir, 0);
!                         redir_stack[need_here_doc++] = $$;
                        }
        |       REDIR_WORD LESS_LESS WORD
--- 532,536 ----
                          redir.filename = $3;
                          $$ = make_redirection (source, r_reading_until, redir, 0);
!                         push_heredoc ($$);
                        }
        |       REDIR_WORD LESS_LESS WORD
***************
*** 534,538 ****
                          redir.filename = $3;
                          $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
!                         redir_stack[need_here_doc++] = $$;
                        }
        |       LESS_LESS_MINUS WORD
--- 539,543 ----
                          redir.filename = $3;
                          $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
!                         push_heredoc ($$);
                        }
        |       LESS_LESS_MINUS WORD
***************
*** 541,545 ****
                          redir.filename = $2;
                          $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
!                         redir_stack[need_here_doc++] = $$;
                        }
        |       NUMBER LESS_LESS_MINUS WORD
--- 546,550 ----
                          redir.filename = $2;
                          $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
!                         push_heredoc ($$);
                        }
        |       NUMBER LESS_LESS_MINUS WORD
***************
*** 548,552 ****
                          redir.filename = $3;
                          $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
!                         redir_stack[need_here_doc++] = $$;
                        }
        |       REDIR_WORD  LESS_LESS_MINUS WORD
--- 553,557 ----
                          redir.filename = $3;
                          $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
!                         push_heredoc ($$);
                        }
        |       REDIR_WORD  LESS_LESS_MINUS WORD
***************
*** 555,559 ****
                          redir.filename = $3;
                          $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
!                         redir_stack[need_here_doc++] = $$;
                        }
        |       LESS_LESS_LESS WORD
--- 560,564 ----
                          redir.filename = $3;
                          $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
!                         push_heredoc ($$);
                        }
        |       LESS_LESS_LESS WORD
***************
*** 2534,2537 ****
--- 2539,2557 ----
  static int esacs_needed_count;
  
+ static void
+ push_heredoc (r)
+      REDIRECT *r;
+ {
+   if (need_here_doc >= HEREDOC_MAX)
+     {
+       last_command_exit_value = EX_BADUSAGE;
+       need_here_doc = 0;
+       report_syntax_error (_("maximum here-document count exceeded"));
+       reset_parser ();
+       exit_shell (last_command_exit_value);
+     }
+   redir_stack[need_here_doc++] = r;
+ }
+ 
  void
  gather_here_documents ()
*** ../bash-4.2-patched/patchlevel.h    Sat Jun 12 20:14:48 2010
--- patchlevel.h        Thu Feb 24 21:41:34 2011
***************
*** 26,30 ****
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 50
  
  #endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 51
  
  #endif /* _PATCHLEVEL_H_ */
1	BASH PATCH REPORT
2	=================
3
4	Bash-Release: 4.2
5	Patch-ID: bash42-051
6
7	Bug-Reported-by: Florian Weimer <fweimer@redhat.com>
8	Bug-Reference-ID:
9	Bug-Reference-URL:
10
11	Bug-Description:
12
13	There are two local buffer overflows in parse.y that can cause the shell
14	to dump core when given many here-documents attached to a single command
15	or many nested loops.
16
17	Patch (apply with `patch -p0'):
18
19	*** ../bash-4.2.50/parse.y 2014-09-27 12:18:53.000000000 -0400
20	--- parse.y 2014-09-30 19:24:19.000000000 -0400
21	***************
22	* 168,171 **
23	--- 168,174 ----
24	static int reserved_word_acceptable __P((int));
25	static int yylex __P((void));
26	+
27	+ static void push_heredoc __P((REDIRECT *));
28	+ static char mk_alexpansion __P((char ));
29	static int alias_expand_token __P((char *));
30	static int time_command_acceptable __P((void));
31	***************
32	* 265,269 **
33	/* Variables to manage the task of reading here documents, because we need to
34	defer the reading until after a complete command has been collected. */
35	! static REDIRECT *redir_stack[10];
36	int need_here_doc;
37
38	--- 268,274 ----
39	/* Variables to manage the task of reading here documents, because we need to
40	defer the reading until after a complete command has been collected. */
41	! #define HEREDOC_MAX 16
42	!
43	! static REDIRECT *redir_stack[HEREDOC_MAX];
44	int need_here_doc;
45
46	***************
47	* 307,311 **
48	index is decremented after a case, select, or for command is parsed. */
49	#define MAX_CASE_NEST 128
50	! static int word_lineno[MAX_CASE_NEST];
51	static int word_top = -1;
52
53	--- 312,316 ----
54	index is decremented after a case, select, or for command is parsed. */
55	#define MAX_CASE_NEST 128
56	! static int word_lineno[MAX_CASE_NEST+1];
57	static int word_top = -1;
58
59	***************
60	* 520,524 **
61	redir.filename = $2;
62	$$ = make_redirection (source, r_reading_until, redir, 0);
63	! redir_stack[need_here_doc++] = $$;
64	}
65	\| NUMBER LESS_LESS WORD
66	--- 525,529 ----
67	redir.filename = $2;
68	$$ = make_redirection (source, r_reading_until, redir, 0);
69	! push_heredoc ($$);
70	}
71	\| NUMBER LESS_LESS WORD
72	***************
73	* 527,531 **
74	redir.filename = $3;
75	$$ = make_redirection (source, r_reading_until, redir, 0);
76	! redir_stack[need_here_doc++] = $$;
77	}
78	\| REDIR_WORD LESS_LESS WORD
79	--- 532,536 ----
80	redir.filename = $3;
81	$$ = make_redirection (source, r_reading_until, redir, 0);
82	! push_heredoc ($$);
83	}
84	\| REDIR_WORD LESS_LESS WORD
85	***************
86	* 534,538 **
87	redir.filename = $3;
88	$$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
89	! redir_stack[need_here_doc++] = $$;
90	}
91	\| LESS_LESS_MINUS WORD
92	--- 539,543 ----
93	redir.filename = $3;
94	$$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
95	! push_heredoc ($$);
96	}
97	\| LESS_LESS_MINUS WORD
98	***************
99	* 541,545 **
100	redir.filename = $2;
101	$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
102	! redir_stack[need_here_doc++] = $$;
103	}
104	\| NUMBER LESS_LESS_MINUS WORD
105	--- 546,550 ----
106	redir.filename = $2;
107	$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
108	! push_heredoc ($$);
109	}
110	\| NUMBER LESS_LESS_MINUS WORD
111	***************
112	* 548,552 **
113	redir.filename = $3;
114	$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
115	! redir_stack[need_here_doc++] = $$;
116	}
117	\| REDIR_WORD LESS_LESS_MINUS WORD
118	--- 553,557 ----
119	redir.filename = $3;
120	$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
121	! push_heredoc ($$);
122	}
123	\| REDIR_WORD LESS_LESS_MINUS WORD
124	***************
125	* 555,559 **
126	redir.filename = $3;
127	$$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
128	! redir_stack[need_here_doc++] = $$;
129	}
130	\| LESS_LESS_LESS WORD
131	--- 560,564 ----
132	redir.filename = $3;
133	$$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
134	! push_heredoc ($$);
135	}
136	\| LESS_LESS_LESS WORD
137	***************
138	* 2534,2537 **
139	--- 2539,2557 ----
140	static int esacs_needed_count;
141
142	+ static void
143	+ push_heredoc (r)
144	+ REDIRECT *r;
145	+ {
146	+ if (need_here_doc >= HEREDOC_MAX)
147	+ {
148	+ last_command_exit_value = EX_BADUSAGE;
149	+ need_here_doc = 0;
150	+ report_syntax_error (_("maximum here-document count exceeded"));
151	+ reset_parser ();
152	+ exit_shell (last_command_exit_value);
153	+ }
154	+ redir_stack[need_here_doc++] = r;
155	+ }
156	+
157	void
158	gather_here_documents ()
159	*** ../bash-4.2-patched/patchlevel.h Sat Jun 12 20:14:48 2010
160	--- patchlevel.h Thu Feb 24 21:41:34 2011
161	***************
162	* 26,30 **
163	looks for to find the patch level (for the sccs version string). */
164
165	! #define PATCHLEVEL 50
166
167	#endif /* _PATCHLEVEL_H_ */
168	--- 26,30 ----
169	looks for to find the patch level (for the sccs version string). */
170
171	! #define PATCHLEVEL 51
172
173	#endif /* _PATCHLEVEL_H_ */