bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Infinite loop in rl_forward_word


From: Eduardo Bustamante
Subject: Infinite loop in rl_forward_word
Date: Tue, 9 May 2017 09:28:32 -0500

dualbus@debian:~/bash-fuzzing/read-readline$ base64 loop
AAAbLbUA9loQGDIYLhwYGBkYGJgYGBj4FwAYYBlEAERLG0YK

dualbus@debian:~/bash-fuzzing/read-readline$ od -c loop
0000000  \0  \0 033   - 265  \0 366   Z 020 030   2 030   . 034 030 030
0000020 031 030 030 230 030 030 030 370 027  \0 030   ` 031   D  \0   D
0000040   K 033   F  \n
0000044

(gdb) r -c 'exec <loop; read -e'
Starting program: /home/dualbus/src/gnu/bash/bash -c 'exec <loop; read -e'
U^@^A^@^@U^@^A^@^@U^C
Program received signal SIGINT, Interrupt.
0x000000000052f42c in _rl_find_next_mbchar (string=0xffffffff00000001
<error: Cannot access memory at address 0xffffffff00000001>,
    seed=102, count=0, flags=1) at mbutil.c:355
355       return _rl_find_next_mbchar_internal (string, seed, count, flags);
(gdb) bt
#0  0x000000000052f42c in _rl_find_next_mbchar (
    string=0xffffffff00000001 <error: Cannot access memory at address
0xffffffff00000001>, seed=102, count=0, flags=1)
    at mbutil.c:355
#1  0x000000000052426a in rl_forward_word (count=1, key=102) at text.c:470
#2  0x00000000004fe797 in _rl_dispatch_subseq (key=102, map=0x771d80
<emacs_meta_keymap>, got_subseq=0) at readline.c:851
#3  0x00000000004fe139 in _rl_dispatch (key=102, map=0x771d80
<emacs_meta_keymap>) at readline.c:797
#4  0x00000000004fe6b1 in _rl_dispatch_subseq (key=70, map=0x771d80
<emacs_meta_keymap>, got_subseq=0) at readline.c:840
#5  0x00000000004fed5f in _rl_dispatch_subseq (key=27, map=0x772d90
<emacs_standard_keymap>, got_subseq=0) at readline.c:985
#6  0x00000000004fe139 in _rl_dispatch (key=27, map=0x772d90
<emacs_standard_keymap>) at readline.c:797
#7  0x00000000004fe0a9 in readline_internal_char () at readline.c:629
#8  0x00000000004ff692 in readline_internal_charloop () at readline.c:656
#9  0x00000000004fda02 in readline_internal () at readline.c:670
#10 0x00000000004fd8c0 in readline (prompt=0x551319 "") at readline.c:374
#11 0x00000000004ccfd6 in edit_line (p=0x551319 "", itext=0x0) at
./read.def:1070
#12 0x00000000004cbc13 in read_builtin (list=0x0) at ./read.def:550
#13 0x000000000044efaf in execute_builtin (builtin=0x4cad80
<read_builtin>, words=0x8296c8, flags=0, subshell=0)
    at execute_cmd.c:4605
#14 0x000000000044e3e0 in execute_builtin_or_function (words=0x8296c8,
builtin=0x4cad80 <read_builtin>, var=0x0, redirects=0x0,
    fds_to_close=0x829628, flags=0) at execute_cmd.c:5103
#15 0x0000000000447095 in execute_simple_command
(simple_command=0x8299c8, pipe_in=-1, pipe_out=-1, async=0,
fds_to_close=0x829628)
    at execute_cmd.c:4391
#16 0x0000000000444b71 in execute_command_internal (command=0x829988,
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x829628)
    at execute_cmd.c:812
#17 0x0000000000448b18 in execute_connection (command=0x829c48,
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x829628)
    at execute_cmd.c:2639
#18 0x0000000000444f2e in execute_command_internal (command=0x829c48,
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x829628)
    at execute_cmd.c:980
#19 0x00000000004c1fd7 in parse_and_execute (string=0x811268 "exec
<loop; read -e", from_file=0x535b5f "-c", flags=4)
    at evalstring.c:430
#20 0x00000000004271af in run_one_command (command=0x7fffffffe70c
"exec <loop; read -e") at shell.c:1405
#21 0x00000000004251fd in main (argc=3, argv=0x7fffffffe458,
env=0x7fffffffe478) at shell.c:718

(gdb) frame 1
#1  0x000000000052426a in rl_forward_word (count=1, key=102) at text.c:470
470                   rl_point = MB_NEXTCHAR (rl_line_buffer,
rl_point, 1, MB_FIND_NONZERO);
(gdb) p rl_point
$1 = 1
(gdb) p rl_end
$2 = 11
(gdb) p rl_line_buffer
$3 = 0x82d408 "U"

# if the first payload doesn't work, try with:
dualbus@debian:~/bash-fuzzing/read-readline$ base64
id\:000459\,sig\:06\,src\:021330+019452\,op\:splice\,rep\:4
AAAbLbUA9loQGDIYLhwYGBkYGJgYGBj4FwAYYBlEAERLG0ZKRBkZOxkZMC24FWT/nEoRgPoAABlR
GRkwN5gVZP+AShGD+gAF+hlEAEQABAFKLgBESxsBSlcCJiYmSCZKRBkmJn//Jn8mIiYmJiYZnj/l
np6CnqiJGRkZGwU=



reply via email to

[Prev in Thread] Current Thread [Next in Thread]