[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Use of TMPDIR crashes bash
From: |
Eric Blake |
Subject: |
Use of TMPDIR crashes bash |
Date: |
Wed, 13 Dec 2006 17:07:46 +0000 (UTC) |
User-agent: |
Loom/3.14 (http://gmane.org/) |
Configuration Information:
Machine: i686
OS: cygwin
Compiler: gcc
Compilation CFLAGS: -DPROGRAM='bash.exe' -DCONF_HOSTTYPE='i686' -
DCONF_OSTYPE='cygwin' -DCONF_MACHTYPE='i686-pc-cygwin' -DCONF_VENDOR='pc' -
DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL -DHAVE_CONFIG_H -
DRECYCLES_PIDS -I. -I/tmp/bash-3.2 -I/tmp/bash-3.2/include -I/tmp/bash-
3.2/lib -O2
uname output: CYGWIN_NT-5.0 eblake 1.7.0(0.160/4/2) 2006-11-28 21:51 i686 Cygwin
Machine Type: i686-pc-cygwin
Bash Version: 3.2
Patch Level: 5
Release Status: release
Description:
Two bugs. First, 'man bash' claims that $TMPDIR is honored for all
temporary files created by bash. This is true for temp files used in
implementing the builtin 'fc' (using the template bash-fcXXXXXX), but not true
for here-docs (the template sh-thdXXXXXX), or on platforms that
lack /proc/self/fd, for named pipes (the template sh-npXXXXXX).
Second, if TMPDIR is set to an invalid directory name longer than PATH_MAX,
bash corrupts the heap. True, setting TMPDIR to a non-directory is wrong, but
bash should gracefully fall back to P_tmpdir (if defined) or "/tmp" in that
case, rather than crashing.
Repeat-By:
For an example on Cygwin, where PATH_MAX is 260, this sequence will
hang bash due to heap corruption:
$ TMPDIR=`perl -e 'print "a"x5000'`
$ fc
Fix:
In redir.c and subst.c, pass the MT_USETMPDIR flag on to sh_mktmp*.
In lib/sh/tmpfile.c, use snprintf instead of sprintf, to avoid writing
past the end of the xmalloc'd array.
--
Eric Blake
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Use of TMPDIR crashes bash,
Eric Blake <=