Bug in realloc_jobs

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bug in realloc_jobs_list()

From:	Jan Niehusmann
Subject:	Bug in realloc_jobs_list()
Date:	Fri, 3 Feb 2006 23:50:10 +0100
User-agent:	Mutt/1.5.11+cvs20060126

realloc_jobs_list() in bash 3.1 doesn't zero out the unused entries of
the jobs[] array, so bash may segfault later when trying to dereference
these entries. A reliable way to reproduce the segfault, at least on
i386 linux, is

% seq 0 10000 | while read line; do /bin/echo $line ; done | tail -2
4095
4096

This behaviour was reported by Laird Breyer <laird@lbreyer.com> in the
debian bug tracking system.
(See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=347695 for
details)

The fix is quite simple:

--- bash/jobs.c.orig    2006-02-03 22:27:07.000000000 +0100
+++ bash/jobs.c 2006-02-03 22:27:58.000000000 +0100
@@ -858,6 +858,9 @@
   for (i = j = 0; i < js.j_jobslots; i++)
     if (jobs[i])
       nlist[j++] = jobs[i];
+  
+  for (i=j; i<nsize; i++)
+    nlist[i] = (JOB *)NULL;
 
   js.j_firstj = 0;
   js.j_lastj = (j > 0) ? j - 1: 0;

[Prev in Thread]

Current Thread

[Next in Thread]

Bug in realloc_jobs_list(), Jan Niehusmann <=
- Re: Bug in realloc_jobs_list(), Mike Frysinger, 2006/02/05

Prev by Date: Re: support /etc/inputrc as a system-wide fallback default ?
Next by Date: regression with color prompt + utf8
Previous by thread: support /etc/inputrc as a system-wide fallback default ?
Next by thread: Re: Bug in realloc_jobs_list()
Index(es):
- Date
- Thread