1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
BASH PATCH REPORT
=================
Bash-Release: 4.0
Patch-ID: bash40-042
Bug-Reported-by: Florian Weimer <fweimer@redhat.com>
Bug-Reference-ID:
Bug-Reference-URL:
Bug-Description:
There are two local buffer overflows in parse.y that can cause the shell
to dump core when given many here-documents attached to a single command
or many nested loops.
Patch:
*** ../bash-4.0.41/parse.y 2014-09-27 12:17:56.000000000 -0400
--- parse.y 2014-09-30 19:41:09.000000000 -0400
***************
*** 167,170 ****
--- 167,173 ----
static int reserved_word_acceptable __P((int));
static int yylex __P((void));
+
+ static void push_heredoc __P((REDIRECT *));
+ static char *mk_alexpansion __P((char *));
static int alias_expand_token __P((char *));
static int time_command_acceptable __P((void));
***************
*** 262,266 ****
/* Variables to manage the task of reading here documents, because we need to
defer the reading until after a complete command has been collected. */
! static REDIRECT *redir_stack[10];
int need_here_doc;
--- 265,271 ----
/* Variables to manage the task of reading here documents, because we need to
defer the reading until after a complete command has been collected. */
! #define HEREDOC_MAX 16
!
! static REDIRECT *redir_stack[HEREDOC_MAX];
int need_here_doc;
***************
*** 301,305 ****
index is decremented after a case, select, or for command is parsed. */
#define MAX_CASE_NEST 128
! static int word_lineno[MAX_CASE_NEST];
static int word_top = -1;
--- 306,310 ----
index is decremented after a case, select, or for command is parsed. */
#define MAX_CASE_NEST 128
! static int word_lineno[MAX_CASE_NEST+1];
static int word_top = -1;
***************
*** 452,456 ****
redir.filename = $2;
$$ = make_redirection (0, r_reading_until, redir);
! redir_stack[need_here_doc++] = $$;
}
| NUMBER LESS_LESS WORD
--- 457,461 ----
redir.filename = $2;
$$ = make_redirection (0, r_reading_until, redir);
! push_heredoc ($$);
}
| NUMBER LESS_LESS WORD
***************
*** 458,462 ****
redir.filename = $3;
$$ = make_redirection ($1, r_reading_until, redir);
! redir_stack[need_here_doc++] = $$;
}
| LESS_LESS_LESS WORD
--- 463,467 ----
redir.filename = $3;
$$ = make_redirection ($1, r_reading_until, redir);
! push_heredoc ($$);
}
| LESS_LESS_LESS WORD
***************
*** 515,519 ****
$$ = make_redirection
(0, r_deblank_reading_until, redir);
! redir_stack[need_here_doc++] = $$;
}
| NUMBER LESS_LESS_MINUS WORD
--- 520,524 ----
$$ = make_redirection
(0, r_deblank_reading_until, redir);
! push_heredoc ($$);
}
| NUMBER LESS_LESS_MINUS WORD
***************
*** 522,526 ****
$$ = make_redirection
($1, r_deblank_reading_until, redir);
! redir_stack[need_here_doc++] = $$;
}
| GREATER_AND '-'
--- 527,531 ----
$$ = make_redirection
($1, r_deblank_reading_until, redir);
! push_heredoc ($$);
}
| GREATER_AND '-'
***************
*** 2377,2380 ****
--- 2382,2400 ----
static int esacs_needed_count;
+ static void
+ push_heredoc (r)
+ REDIRECT *r;
+ {
+ if (need_here_doc >= HEREDOC_MAX)
+ {
+ last_command_exit_value = EX_BADUSAGE;
+ need_here_doc = 0;
+ report_syntax_error (_("maximum here-document count exceeded"));
+ reset_parser ();
+ exit_shell (last_command_exit_value);
+ }
+ redir_stack[need_here_doc++] = r;
+ }
+
void
gather_here_documents ()
*** ../bash-4.0/patchlevel.h 2009-01-04 14:32:40.000000000 -0500
--- patchlevel.h 2009-02-22 16:11:31.000000000 -0500
***************
*** 26,30 ****
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 41
#endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
looks for to find the patch level (for the sccs version string). */
! #define PATCHLEVEL 42
#endif /* _PATCHLEVEL_H_ */
|