summaryrefslogtreecommitdiff
path: root/data/bash/bash32-034
blob: 4f081624b345835d90a52d0cded56ea6583042e2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
			     BASH PATCH REPORT
			     =================

Bash-Release: 3.2
Patch-ID: bash32-034

Bug-Reported-by:	Ian Campbell <ian.campbell@xensource.com>
Bug-Reference-ID:	<EXCHPAFExU3l5bhn1ow00001dfe@rpc.xensource.com>
Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2007-10/msg00060.html

Bug-Description:

The bash getcwd replacement will write past the end of allocated memory
when it allocates the buffer itself if it uses the buffer size passed as
an argument, and that size is less than the length of the pathname.

Patch:

*** ../bash-3.2-patched/lib/sh/getcwd.c	2004-07-21 17:15:19.000000000 -0400
--- lib/sh/getcwd.c	2007-12-31 19:26:36.000000000 -0500
***************
*** 252,268 ****
    {
      size_t len = pathbuf + pathsize - pathp;
      if (buf == NULL)
        {
! 	if (len < (size_t) size)
! 	  len = size;
! 	buf = (char *) malloc (len);
  	if (buf == NULL)
  	  goto lose2;
        }
!     else if ((size_t) size < len)
!       {
! 	errno = ERANGE;
! 	goto lose2;
!       }
      (void) memcpy((PTR_T) buf, (PTR_T) pathp, len);
    }
--- 287,305 ----
    {
      size_t len = pathbuf + pathsize - pathp;
+     if (buf == NULL && size <= 0)
+       size = len;
+ 
+     if ((size_t) size < len)
+       {
+ 	errno = ERANGE;
+ 	goto lose2;
+       }
      if (buf == NULL)
        {
! 	buf = (char *) malloc (size);
  	if (buf == NULL)
  	  goto lose2;
        }
! 
      (void) memcpy((PTR_T) buf, (PTR_T) pathp, len);
    }
*** ../bash-3.2/patchlevel.h	Thu Apr 13 08:31:04 2006
--- patchlevel.h	Mon Oct 16 14:22:54 2006
***************
*** 26,30 ****
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 33
  
  #endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 34
  
  #endif /* _PATCHLEVEL_H_ */