null ptr deref and segfault in parameter_brace_transform.isra.17 () at subst.c:6827 (bash 4.4.0(1)-beta)

[Brian Carpenter]

I found another null ptr deref and segfault. This only seems to affect bash 4.4.0 as 4.2.37(1)-release and 4.2.37(1)-release only return a 'bad substitution' error message.

bash -c '${!a@a}'

Program received signal SIGSEGV, Segmentation fault.

0x00000000005d36b7 in parameter_brace_transform.isra.17 () at subst.c:6827

6827    vname = parameter_brace_find_indir (varname+1, SPECIAL_VAR (varname, 1), quoted, 1);

(gdb) bt

#0  0x00000000005d36b7 in parameter_brace_transform.isra.17 () at subst.c:6827

#1  0x000000000059f65d in parameter_brace_expand () at subst.c:8020

#2  0x00000000005a1eec in param_expand () at subst.c:8384

#3  0x00000000005c1650 in expand_word_list_internal () at subst.c:8936

#4  0x00000000004a9965 in execute_simple_command () at execute_cmd.c:4079

#5  0x00000000004b497e in execute_command_internal () at execute_cmd.c:813

#6  0x00000000004bcf1d in execute_command () at execute_cmd.c:416

#7  0x00000000004317e0 in reader_loop ()

#8  0x0000000000429bdb in main () at shell.c:767

==40990== Invalid read of size 1

==40990==    at 0x5D36B7: get_var_and_type (subst.c:6827)

==40990==    by 0x5D36B7: parameter_brace_transform.isra.17 (subst.c:4937)

==40990==    by 0x59F65C: parameter_brace_expand (subst.c:8020)

==40990==    by 0x5A1EEB: param_expand (subst.c:8384)

==40990==    by 0x5C164F: expand_word_internal (subst.c:8936)

==40990==    by 0x5C164F: shell_expand_word_list (subst.c:10177)

==40990==    by 0x5C164F: expand_word_list_internal (subst.c:10300)

==40990==    by 0x4A9964: execute_simple_command (execute_cmd.c:4079)

==40990==    by 0x4B497D: execute_command_internal (execute_cmd.c:813)

==40990==    by 0x6B5D61: parse_and_execute (evalstring.c:413)

==40990==    by 0x41F7A4: run_one_command (shell.c:1374)

==40990==    by 0x4295A9: main (shell.c:699)

==40990==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

==40990== 

==40990== Process terminating with default action of signal 11 (SIGSEGV)

==40990==  Access not within mapped region at address 0x0

==40990==    at 0x5D36B7: get_var_and_type (subst.c:6827)

==40990==    by 0x5D36B7: parameter_brace_transform.isra.17 (subst.c:4937)

==40990==    by 0x59F65C: parameter_brace_expand (subst.c:8020)

==40990==    by 0x5A1EEB: param_expand (subst.c:8384)

==40990==    by 0x5C164F: expand_word_internal (subst.c:8936)

==40990==    by 0x5C164F: shell_expand_word_list (subst.c:10177)

==40990==    by 0x5C164F: expand_word_list_internal (subst.c:10300)

==40990==    by 0x4A9964: execute_simple_command (execute_cmd.c:4079)

==40990==    by 0x4B497D: execute_command_internal (execute_cmd.c:813)

==40990==    by 0x6B5D61: parse_and_execute (evalstring.c:413)

==40990==    by 0x41F7A4: run_one_command (shell.c:1374)

==40990==    by 0x4295A9: main (shell.c:699)

==40990==  If you believe this happened as a result of a stack

==40990==  overflow in your program's main thread (unlikely but

==40990==  possible), you can try to increase the size of the

==40990==  main thread stack using the --main-stacksize= flag.

==40990==  The main thread stack size used in this run was 8388608.

Segmentation fault

Regards,

Brian 'geeknik' Carpenter