bug-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

strcpy of overlapping memory ranges in prompt expansion

From: simon
Subject: strcpy of overlapping memory ranges in prompt expansion
Date: Wed, 3 Jul 2013 22:06:34 +0200 (CEST) 
Configuration Information [Automatically generated, do not change]:
Machine: i386
OS: darwin13.0.0
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='i386' 
-DCONF_OSTYPE='darwin13.0.0' -DCONF_MACHTYPE='i386-apple-darwin13.0.0' 
-DCONF_VENDOR='apple' -DLOCALEDIR='/usr/local/share/locale' -DPACKAGE='bash' 
-DSHELL -DHAVE_CONFIG_H -DMACOSX   -I.  -I. -I./include -I./lib -I./lib/intl 
-I/Users/simon/src/bash-4.2/lib/intl  -g -O2
uname output: Darwin darnassus 13.0.0 Darwin Kernel Version 13.0.0: Wed Jun 19 
17:59:46 PDT 2013; root:xnu-2422.1.26.0.1~2/RELEASE_X86_64 x86_64
Machine Type: i386-apple-darwin13.0.0

Bash Version: 4.2
Patch Level: 45
Release Status: release

Description:
        When using \w in the prompt and changing the directory outside of HOME
        bash crashes with an abort trap.
        strcpy(3) say src and dst must not overlap. OS X 10.9 checks that on
        runtime and forcefully aborts your code if they do.

Repeat-By:
        PS1="\w"
        cd /
        bash exists with an abort trap.

Fix:
Assign the return value from polite_directory_format to a temporary value.
If the pointers are different and only then do a strcpy
--- parse.y.orig        2013-07-03 22:00:42.000000000 +0200
+++ parse.y     2013-07-03 22:02:23.000000000 +0200
@@ -5262,7 +5262,12 @@
        else
          /* polite_directory_format is guaranteed to return a string
             no longer than PATH_MAX - 1 characters. */
-                 strcpy (t_string, polite_directory_format (t_string));
+                  /* polite_directory_format might simply return the pointer 
to t_string
+                     strcpy(3) tells dst and src may not overlap, OS X 10.9 
asserts this and
+                     triggers an abort trap if that's the case */
+                  temp = polite_directory_format (t_string);
+                  if (temp != t_string)
+                   strcpy (t_string, temp);
 
        temp = trim_pathname (t_string, PATH_MAX - 1);
        /* If we're going to be expanding the prompt string later,
reply via email to
[Prev in Thread] Current Thread [Next in Thread]