rcolebaugh / rpms / bash

Forked from rpms/bash a year ago
Clone
287226
			     BASH PATCH REPORT
287226
			     =================
287226
287226
Bash-Release:	4.2
287226
Patch-ID:	bash42-044
287226
287226
Bug-Reported-by:	"Dashing" <dashing@hushmail.com>
287226
Bug-Reference-ID:	<20130211175049.D90786F446@smtp.hushmail.com>
287226
Bug-Reference-URL:	http://lists.gnu.org/archive/html/bug-bash/2013-02/msg00030.html
287226
287226
Bug-Description:
287226
287226
When converting a multibyte string to a wide character string as part of
287226
pattern matching, bash does not handle the end of the string correctly,
287226
causing the search for the NUL to go beyond the end of the string and
287226
reference random memory.  Depending on the contents of that memory, bash
287226
can produce errors or crash. 
287226
287226
Patch (apply with `patch -p0'):
287226
287226
*** ../bash-4.2-patched/lib/glob/xmbsrtowcs.c	2012-07-08 21:53:19.000000000 -0400
287226
--- lib/glob/xmbsrtowcs.c	2013-02-12 12:00:39.000000000 -0500
287226
***************
287226
*** 217,220 ****
287226
--- 217,226 ----
287226
        n = mbsnrtowcs(wsbuf+wcnum, &p, nms, wsbuf_size-wcnum, &state);
287226
  
287226
+       if (n == 0 && p == 0)
287226
+ 	{
287226
+ 	  wsbuf[wcnum] = L'\0';
287226
+ 	  break;
287226
+ 	}
287226
+ 
287226
        /* Compensate for taking single byte on wcs conversion failure above. */
287226
        if (wcslength == 1 && (n == 0 || n == (size_t)-1))
287226
***************
287226
*** 222,226 ****
287226
  	  state = tmp_state;
287226
  	  p = tmp_p;
287226
! 	  wsbuf[wcnum++] = *p++;
287226
  	}
287226
        else
287226
--- 228,238 ----
287226
  	  state = tmp_state;
287226
  	  p = tmp_p;
287226
! 	  wsbuf[wcnum] = *p;
287226
! 	  if (*p == 0)
287226
! 	    break;
287226
! 	  else
287226
! 	    {
287226
! 	      wcnum++; p++;
287226
! 	    }
287226
  	}
287226
        else
287226
287226
*** ../bash-4.2-patched/patchlevel.h	Sat Jun 12 20:14:48 2010
287226
--- patchlevel.h	Thu Feb 24 21:41:34 2011
287226
***************
287226
*** 26,30 ****
287226
     looks for to find the patch level (for the sccs version string). */
287226
  
287226
! #define PATCHLEVEL 43
287226
  
287226
  #endif /* _PATCHLEVEL_H_ */
287226
--- 26,30 ----
287226
     looks for to find the patch level (for the sccs version string). */
287226
  
287226
! #define PATCHLEVEL 44
287226
  
287226
  #endif /* _PATCHLEVEL_H_ */