diff options
Diffstat (limited to 'patches/source/bash/patches/bash31-021')
| -rw-r--r-- | patches/source/bash/patches/bash31-021 | 147 |
1 files changed, 147 insertions, 0 deletions
diff --git a/patches/source/bash/patches/bash31-021 b/patches/source/bash/patches/bash31-021 new file mode 100644 index 000000000..9e07c2868 --- /dev/null +++ b/patches/source/bash/patches/bash31-021 @@ -0,0 +1,147 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 3.1 +Patch-ID: bash31-021 + +Bug-Reported-by: Florian Weimer <fweimer@redhat.com> +Bug-Reference-ID: +Bug-Reference-URL: + +Bug-Description: + +There are two local buffer overflows in parse.y that can cause the shell +to dump core when given many here-documents attached to a single command +or many nested loops. + +Patch: + +*** ../bash-3.1.20/parse.y 2014-09-27 12:16:39.000000000 -0400 +--- parse.y 2014-09-30 19:49:41.000000000 -0400 +*************** +*** 167,170 **** +--- 167,173 ---- + static int reserved_word_acceptable __P((int)); + static int yylex __P((void)); ++ ++ static void push_heredoc __P((REDIRECT *)); ++ static char *mk_alexpansion __P((char *)); + static int alias_expand_token __P((char *)); + static int time_command_acceptable __P((void)); +*************** +*** 259,263 **** + /* Variables to manage the task of reading here documents, because we need to + defer the reading until after a complete command has been collected. */ +! static REDIRECT *redir_stack[10]; + int need_here_doc; + +--- 262,268 ---- + /* Variables to manage the task of reading here documents, because we need to + defer the reading until after a complete command has been collected. */ +! #define HEREDOC_MAX 16 +! +! static REDIRECT *redir_stack[HEREDOC_MAX]; + int need_here_doc; + +*************** +*** 285,289 **** + index is decremented after a case, select, or for command is parsed. */ + #define MAX_CASE_NEST 128 +! static int word_lineno[MAX_CASE_NEST]; + static int word_top = -1; + +--- 290,294 ---- + index is decremented after a case, select, or for command is parsed. */ + #define MAX_CASE_NEST 128 +! static int word_lineno[MAX_CASE_NEST+1]; + static int word_top = -1; + +*************** +*** 430,434 **** + redir.filename = $2; + $$ = make_redirection (0, r_reading_until, redir); +! redir_stack[need_here_doc++] = $$; + } + | NUMBER LESS_LESS WORD +--- 435,439 ---- + redir.filename = $2; + $$ = make_redirection (0, r_reading_until, redir); +! push_heredoc ($$); + } + | NUMBER LESS_LESS WORD +*************** +*** 436,440 **** + redir.filename = $3; + $$ = make_redirection ($1, r_reading_until, redir); +! redir_stack[need_here_doc++] = $$; + } + | LESS_LESS_LESS WORD +--- 441,445 ---- + redir.filename = $3; + $$ = make_redirection ($1, r_reading_until, redir); +! push_heredoc ($$); + } + | LESS_LESS_LESS WORD +*************** +*** 493,497 **** + $$ = make_redirection + (0, r_deblank_reading_until, redir); +! redir_stack[need_here_doc++] = $$; + } + | NUMBER LESS_LESS_MINUS WORD +--- 498,502 ---- + $$ = make_redirection + (0, r_deblank_reading_until, redir); +! push_heredoc ($$); + } + | NUMBER LESS_LESS_MINUS WORD +*************** +*** 500,504 **** + $$ = make_redirection + ($1, r_deblank_reading_until, redir); +! redir_stack[need_here_doc++] = $$; + } + | GREATER_AND '-' +--- 505,509 ---- + $$ = make_redirection + ($1, r_deblank_reading_until, redir); +! push_heredoc ($$); + } + | GREATER_AND '-' +*************** +*** 2211,2214 **** +--- 2216,2234 ---- + static int esacs_needed_count; + ++ static void ++ push_heredoc (r) ++ REDIRECT *r; ++ { ++ if (need_here_doc >= HEREDOC_MAX) ++ { ++ last_command_exit_value = EX_BADUSAGE; ++ need_here_doc = 0; ++ report_syntax_error (_("maximum here-document count exceeded")); ++ reset_parser (); ++ exit_shell (last_command_exit_value); ++ } ++ redir_stack[need_here_doc++] = r; ++ } ++ + void + gather_here_documents () +*** ../bash-3.1/patchlevel.h Wed Jul 20 13:58:20 2005 +--- patchlevel.h Wed Dec 7 13:48:42 2005 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 20 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 21 + + #endif /* _PATCHLEVEL_H_ */ |