[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

possible write to an invalid address

From: Henning Garus
Subject: possible write to an invalid address
Date: Sun, 04 Oct 2009 07:14:51 -0700 (PDT)

Configuration Information [Automatically generated, do not change]:
Machine: i686
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='i686' 
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='i686-pc-linux-gnu' 
-DCONF_VENDOR='pc' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL 
-DHAVE_CONFIG_H   -I.  -I. -I./include -I./lib   -march=i686 -mtune=generic -O2 
-pipe -ggdb
uname output: Linux helios 2.6.31-ARCH #1 SMP PREEMPT Sat Sep 26 02:39:09 CEST 
2009 i686 AMD Athlon(tm) XP 2600+ AuthenticAMD GNU/Linux
Machine Type: i686-pc-linux-gnu

Bash Version: 4.0
Patch Level: 33
Release Status: release

  When bash_dequote_filename() is called with text ending with a
  backslash and double quote as quote_char, it writes beyond the memory
  allocated for ret, thus corrupting memory. 

  This was originally reported as bash crashing when trying to
  wine "c:\windows\

  I can replicate this behaviour on my i686 system.

  bash_dequote_filename() checks if *p is '\0' after writing it to r and
  later writes another '\0' behind that. Move the check before the write:

--- bash-4.0.orig/bashline.c    2009-10-04 15:06:46.000000000 +0200
+++ bash-4.0/bashline.c 2009-10-04 15:07:03.000000000 +0200
@@ -3223,9 +3223,9 @@ bash_dequote_filename (text, quote_char)
          else if (quoted == '"' && ((sh_syntaxtab[p[1]] & CBSDQUOTE) == 0))
            *r++ = *p;
-         *r++ = *++p;
-         if (*p == '\0')
+         if (*++p == '\0')
+         *r++ = *p;
       /* Close quote. */

reply via email to

[Prev in Thread] Current Thread [Next in Thread]