Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 385462 Details for
Bug 523742
<app-shells/bash-{3.1_p21, 3.2_p55, 4.0_p42, 4.1_p15, 4.2_p51}: Two out-of-bounds array accesses in the bash parser (CVE-2014-{7186,7187})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
parser-oob.patch
parser-oob.patch (text/plain), 2.50 KB, created by
kfm
on 2014-09-25 22:40:09 UTC
(
hide
)
Description:
parser-oob.patch
Filename:
MIME Type:
Creator:
kfm
Created:
2014-09-25 22:40:09 UTC
Size:
2.50 KB
patch
obsolete
>--- a/bash/parse.y 2014-09-25 13:07:59.218209276 +0200 >+++ b/bash/parse.y 2014-09-25 15:26:52.813159810 +0200 >@@ -264,9 +264,21 @@ > > /* Variables to manage the task of reading here documents, because we need to > defer the reading until after a complete command has been collected. */ >-static REDIRECT *redir_stack[10]; >+static REDIRECT **redir_stack; > int need_here_doc; > >+/* Pushes REDIR onto redir_stack, resizing it as needed. */ >+static void >+push_redir_stack (REDIRECT *redir) >+{ >+ /* Guard against oveflow. */ >+ if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack)) >+ abort (); >+ redir_stack = xrealloc (redir_stack, >+ (need_here_doc + 1) * sizeof (*redir_stack)); >+ redir_stack[need_here_doc++] = redir; >+} >+ > /* Where shell input comes from. History expansion is performed on each > line when the shell is interactive. */ > static char *shell_input_line = (char *)NULL; >@@ -519,42 +531,42 @@ > source.dest = 0; > redir.filename = $2; > $$ = make_redirection (source, r_reading_until, redir, 0); >- redir_stack[need_here_doc++] = $$; >+ push_redir_stack ($$); > } > | NUMBER LESS_LESS WORD > { > source.dest = $1; > redir.filename = $3; > $$ = make_redirection (source, r_reading_until, redir, 0); >- redir_stack[need_here_doc++] = $$; >+ push_redir_stack ($$); > } > | REDIR_WORD LESS_LESS WORD > { > source.filename = $1; > redir.filename = $3; > $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN); >- redir_stack[need_here_doc++] = $$; >+ push_redir_stack ($$); > } > | LESS_LESS_MINUS WORD > { > source.dest = 0; > redir.filename = $2; > $$ = make_redirection (source, r_deblank_reading_until, redir, 0); >- redir_stack[need_here_doc++] = $$; >+ push_redir_stack ($$); > } > | NUMBER LESS_LESS_MINUS WORD > { > source.dest = $1; > redir.filename = $3; > $$ = make_redirection (source, r_deblank_reading_until, redir, 0); >- redir_stack[need_here_doc++] = $$; >+ push_redir_stack ($$); > } > | REDIR_WORD LESS_LESS_MINUS WORD > { > source.filename = $1; > redir.filename = $3; > $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN); >- redir_stack[need_here_doc++] = $$; >+ push_redir_stack ($$); > } > | LESS_LESS_LESS WORD > { >@@ -4757,7 +4769,7 @@ > case CASE: > case SELECT: > case FOR: >- if (word_top < MAX_CASE_NEST) >+ if (word_top + 1 < MAX_CASE_NEST) > word_top++; > word_lineno[word_top] = line_number; > break; > >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 523742
:
385460
| 385462