diff options
Diffstat (limited to 'data/bash/bash44-006')
| -rw-r--r-- | data/bash/bash44-006 | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/data/bash/bash44-006 b/data/bash/bash44-006 new file mode 100644 index 000000000..f68c7ab47 --- /dev/null +++ b/data/bash/bash44-006 @@ -0,0 +1,59 @@ + BASH PATCH REPORT + ================= + +Bash-Release: 4.4 +Patch-ID: bash44-006 + +Bug-Reported-by: <fernando@null-life.com> +Bug-Reference-ID: <CAEr-gPFPvqheiAeENmMkEwWRd4U=1iqCsYmR3sLdULOqL++_tQ@mail.gmail.com> +Bug-Reference-URL: + +Bug-Description: + +Out-of-range negative offsets to popd can cause the shell to crash attempting +to free an invalid memory block. + +Patch (apply with `patch -p0'): + +*** ../bash-4.4-patched/builtins/pushd.def 2016-01-25 13:31:49.000000000 -0500 +--- builtins/pushd.def 2016-10-28 10:46:49.000000000 -0400 +*************** +*** 366,370 **** + } + +! if (which > directory_list_offset || (directory_list_offset == 0 && which == 0)) + { + pushd_error (directory_list_offset, which_word ? which_word : ""); +--- 366,370 ---- + } + +! if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && which == 0)) + { + pushd_error (directory_list_offset, which_word ? which_word : ""); +*************** +*** 388,391 **** +--- 388,396 ---- + of the list into place. */ + i = (direction == '+') ? directory_list_offset - which : which; ++ if (i < 0 || i > directory_list_offset) ++ { ++ pushd_error (directory_list_offset, which_word ? which_word : ""); ++ return (EXECUTION_FAILURE); ++ } + free (pushd_directory_list[i]); + directory_list_offset--; +*** ../bash-4.4/patchlevel.h 2016-06-22 14:51:03.000000000 -0400 +--- patchlevel.h 2016-10-01 11:01:28.000000000 -0400 +*************** +*** 26,30 **** + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 5 + + #endif /* _PATCHLEVEL_H_ */ +--- 26,30 ---- + looks for to find the patch level (for the sccs version string). */ + +! #define PATCHLEVEL 6 + + #endif /* _PATCHLEVEL_H_ */ |