Re: heap-buffer-overflow in history

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heap-buffer-overflow in history_expand

From:	Grisha Levit
Subject:	Re: heap-buffer-overflow in history_expand
Date:	Fri, 28 Apr 2023 21:28:24 -0400

On Fri, Apr 28, 2023, 11:35 Chet Ramey <chet.ramey@case.edu> wrote:

> On 4/24/23 1:40 AM, Grisha Levit wrote:
> > The history expansion code can end up reading past the end of the
> > input line buffer if the line ends with an invalid multibyte sequence:
>
> Thanks for the report. You mean an incomplete multibyte character, I think.
>

Well I'm not quite sure. The (piped) input needs to have an invalid
sequence (two leading bytes) but readline transforms this invalid sequence
into a just a single leading byte.

Piping input that simply ends in an leading byte doesn't trigger the issue
-- that byte byte don't seem to make it into the input line.

This is a bit off topic, but I don't really understand what happens with
invalid input sequences in the input, see e.g.:

$ bash --norc -i 2>/dev/null <<<$'printf %q\\\\n \240\340'
$'\240'
$ bash --norc -i 2>/dev/null <<<$'printf %q\\\\n \240\340.'
$'\240.'
$ bash --norc -i 2>/dev/null <<<$'printf %q\\\\n \240\340.\341'
$'\240.\340'

(Especially the last one where the 2nd and 3rd bytes of the string are
reversed)

[Prev in Thread]

Current Thread

[Next in Thread]

heap-buffer-overflow in history_expand, Grisha Levit, 2023/04/24
- Re: heap-buffer-overflow in history_expand, Chet Ramey, 2023/04/28
  - Re: heap-buffer-overflow in history_expand, Grisha Levit <=
    - Re: heap-buffer-overflow in history_expand, Chet Ramey, 2023/04/29
    - Re: heap-buffer-overflow in history_expand, Grisha Levit, 2023/04/30

Prev by Date: Integer overflow of i in string_extract_verbatim
Next by Date: Re: heap-buffer-overflow in history_expand
Previous by thread: Re: heap-buffer-overflow in history_expand
Next by thread: Re: heap-buffer-overflow in history_expand
Index(es):
- Date
- Thread