blob: ba58ed40c39719da42bd213c8d329b929b0ececa (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
From https://ftp.gnu.org/gnu/bash/bash-4.4-patches/bash44-006
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
BASH PATCH REPORT
=================
Bash-Release: 4.4
Patch-ID: bash44-006
Bug-Reported-by: <fernando@null-life.com>
Bug-Reference-ID: <CAEr-gPFPvqheiAeENmMkEwWRd4U=1iqCsYmR3sLdULOqL++_tQ@mail.gmail.com>
Bug-Reference-URL:
Bug-Description:
Out-of-range negative offsets to popd can cause the shell to crash attempting
to free an invalid memory block.
Patch (apply with `patch -p0'):
*** bash-4.4-patched/builtins/pushd.def 2016-01-25 13:31:49.000000000 -0500
--- b/builtins/pushd.def 2016-10-28 10:46:49.000000000 -0400
***************
*** 366,370 ****
}
! if (which > directory_list_offset || (directory_list_offset == 0 && which == 0))
{
pushd_error (directory_list_offset, which_word ? which_word : "");
--- b/366,370 ----
}
! if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && which == 0))
{
pushd_error (directory_list_offset, which_word ? which_word : "");
***************
*** 388,391 ****
--- b/388,396 ----
of the list into place. */
i = (direction == '+') ? directory_list_offset - which : which;
+ if (i < 0 || i > directory_list_offset)
+ {
+ pushd_error (directory_list_offset, which_word ? which_word : "");
+ return (EXECUTION_FAILURE);
+ }
free (pushd_directory_list[i]);
directory_list_offset--;
*** bash-4.4/patchlevel.h 2016-06-22 14:51:03.000000000 -0400
--- b/patchlevel.h 2016-10-01 11:01:28.000000000 -0400
***************
*** 26,30 ****
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 5
#endif /* _PATCHLEVEL_H_ */
--- b/26,30 ----
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 6
#endif /* _PATCHLEVEL_H_ */
|
