bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bash -n: stack overflow in extract_delimited_string()


From: Jakub Wilk
Subject: bash -n: stack overflow in extract_delimited_string()
Date: Mon, 3 Aug 2020 11:30:55 +0200
User-agent: NeoMutt/20180716

Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -g -O2 -Wno-parentheses -Wno-format-security
uname output: Linux debian 4.19.0-9-cloud-amd64 #1 SMP Debian 
4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
Machine Type: x86_64-pc-linux-gnu

Bash Version: 5.0
Patch Level: 18
Release Status: release

bash crashes with stack overflow when checking syntax of this crafted script:

  $ ulimit -s
  8192

  $ printf 'x[$(($(fi)))`\n%050000d\n][`]\n' | tr 0 '(' | bash -n
  bash: command substitution: line 4: syntax error near unexpected token `fi'
  bash: command substitution: line 4: `fi)))`'
  Segmentation fault

Backtrace:

  #0  0x000056084f0c841c in extract_delimited_string (string=string@entry=0x56084f2a6008 "x[$(($(fi)))`\n", '(' 
<repeats 186 times>..., sindex=sindex@entry=0x7ffde769a0fc, opener=opener@entry=0x56084f14bc31 "(", 
alt_opener=alt_opener@entry=0x56084f14bc31 "(", closer=closer@entry=0x56084f14a41f ")", 
flags=flags@entry=9) at subst.c:1326
  #1  0x000056084f0c8819 in extract_delimited_string (string=string@entry=0x56084f2a6008 "x[$(($(fi)))`\n", '(' 
<repeats 186 times>..., sindex=sindex@entry=0x7ffde769a1ac, opener=opener@entry=0x56084f14bc31 "(", 
alt_opener=alt_opener@entry=0x56084f14bc31 "(", closer=closer@entry=0x56084f14a41f ")", 
flags=flags@entry=9) at subst.c:1400
  #2  0x000056084f0c8819 in extract_delimited_string (string=string@entry=0x56084f2a6008 "x[$(($(fi)))`\n", '(' 
<repeats 186 times>..., sindex=sindex@entry=0x7ffde769a25c, opener=opener@entry=0x56084f14bc31 "(", 
alt_opener=alt_opener@entry=0x56084f14bc31 "(", closer=closer@entry=0x56084f14a41f ")", 
flags=flags@entry=9) at subst.c:1400
  ...
  #47577 0x000056084f0c8819 in extract_delimited_string (string=string@entry=0x56084f2a6008 "x[$(($(fi)))`\n", '(' 
<repeats 186 times>..., sindex=sindex@entry=0x7ffde7e9662c, opener=opener@entry=0x56084f14bc31 "(", 
alt_opener=alt_opener@entry=0x56084f14bc31 "(", closer=closer@entry=0x56084f14a41f ")", 
flags=flags@entry=9) at subst.c:1400
  #47578 0x000056084f0c8819 in extract_delimited_string (string=string@entry=0x56084f2a6008 "x[$(($(fi)))`\n", '(' 
<repeats 186 times>..., sindex=sindex@entry=0x7ffde7e966dc, opener=opener@entry=0x56084f14bc31 "(", 
alt_opener=alt_opener@entry=0x56084f14bc31 "(", closer=closer@entry=0x56084f14a41f ")", 
flags=flags@entry=9) at subst.c:1400
  #47579 0x000056084f0c8c02 in extract_delimited_string (string=string@entry=0x56084f2a6008 "x[$(($(fi)))`\n", '(' 
<repeats 186 times>..., sindex=sindex@entry=0x7ffde7e9676c, opener=opener@entry=0x56084f14bc30 "$(", 
alt_opener=alt_opener@entry=0x56084f14bc31 "(", closer=closer@entry=0x56084f14a41f ")", 
flags=flags@entry=9) at subst.c:1410
  #47580 0x000056084f0c917b in skip_matched_pair (string=string@entry=0x56084f2a6008 
"x[$(($(fi)))`\n", '(' <repeats 186 times>..., start=<optimized out>, 
flags=flags@entry=0, close=93, open=91) at subst.c:1799
  #47581 0x000056084f0ca485 in skipsubscript (string=string@entry=0x56084f2a6008 
"x[$(($(fi)))`\n", '(' <repeats 186 times>..., start=<optimized out>, 
flags=flags@entry=0) at subst.c:1827
  #47582 0x000056084f0a62be in assignment (string=string@entry=0x56084f2a6008 
"x[$(($(fi)))`\n", '(' <repeats 186 times>..., flags=0) at general.c:440
  #47583 0x000056084f0a034c in read_token_word (character=10) at 
/usr/homes/chet/src/bash/src/parse.y:5305
  #47584 read_token (command=<optimized out>) at 
/usr/homes/chet/src/bash/src/parse.y:3445
  #47585 read_token (command=0) at /usr/homes/chet/src/bash/src/parse.y:3202
  #47586 0x000056084f0a2698 in yylex () at 
/usr/homes/chet/src/bash/src/parse.y:2761
  #47587 yyparse () at y.tab.c:1842
  #47588 0x000056084f098486 in parse_command () at eval.c:303
  #47589 0x000056084f0985a4 in read_command () at eval.c:347
  #47590 0x000056084f0987b8 in reader_loop () at eval.c:143
  #47591 0x000056084f09715d in main (argc=2, argv=0x7ffde7e979a8, 
env=0x7ffde7e979c0) at shell.c:805

--
Jakub Wilk



reply via email to

[Prev in Thread] Current Thread [Next in Thread]