]>
Commit | Line | Data |
---|---|---|
24acfa14 MT |
1 | BASH PATCH REPORT |
2 | ================= | |
3 | ||
4 | Bash-Release: 3.2 | |
5 | Patch-ID: bash32-034 | |
6 | ||
7 | Bug-Reported-by: Ian Campbell <ian.campbell@xensource.com> | |
8 | Bug-Reference-ID: <EXCHPAFExU3l5bhn1ow00001dfe@rpc.xensource.com> | |
9 | Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2007-10/msg00060.html | |
10 | ||
11 | Bug-Description: | |
12 | ||
13 | The bash getcwd replacement will write past the end of allocated memory | |
14 | when it allocates the buffer itself if it uses the buffer size passed as | |
15 | an argument, and that size is less than the length of the pathname. | |
16 | ||
17 | Patch: | |
18 | ||
19 | *** ../bash-3.2-patched/lib/sh/getcwd.c 2004-07-21 17:15:19.000000000 -0400 | |
20 | --- lib/sh/getcwd.c 2007-12-31 19:26:36.000000000 -0500 | |
21 | *************** | |
22 | *** 252,268 **** | |
23 | { | |
24 | size_t len = pathbuf + pathsize - pathp; | |
25 | if (buf == NULL) | |
26 | { | |
27 | ! if (len < (size_t) size) | |
28 | ! len = size; | |
29 | ! buf = (char *) malloc (len); | |
30 | if (buf == NULL) | |
31 | goto lose2; | |
32 | } | |
33 | ! else if ((size_t) size < len) | |
34 | ! { | |
35 | ! errno = ERANGE; | |
36 | ! goto lose2; | |
37 | ! } | |
38 | (void) memcpy((PTR_T) buf, (PTR_T) pathp, len); | |
39 | } | |
40 | --- 287,305 ---- | |
41 | { | |
42 | size_t len = pathbuf + pathsize - pathp; | |
43 | + if (buf == NULL && size <= 0) | |
44 | + size = len; | |
45 | + | |
46 | + if ((size_t) size < len) | |
47 | + { | |
48 | + errno = ERANGE; | |
49 | + goto lose2; | |
50 | + } | |
51 | if (buf == NULL) | |
52 | { | |
53 | ! buf = (char *) malloc (size); | |
54 | if (buf == NULL) | |
55 | goto lose2; | |
56 | } | |
57 | ! | |
58 | (void) memcpy((PTR_T) buf, (PTR_T) pathp, len); | |
59 | } | |
60 | *** ../bash-3.2/patchlevel.h Thu Apr 13 08:31:04 2006 | |
61 | --- patchlevel.h Mon Oct 16 14:22:54 2006 | |
62 | *************** | |
63 | *** 26,30 **** | |
64 | looks for to find the patch level (for the sccs version string). */ | |
65 | ||
66 | ! #define PATCHLEVEL 33 | |
67 | ||
68 | #endif /* _PATCHLEVEL_H_ */ | |
69 | --- 26,30 ---- | |
70 | looks for to find the patch level (for the sccs version string). */ | |
71 | ||
72 | ! #define PATCHLEVEL 34 | |
73 | ||
74 | #endif /* _PATCHLEVEL_H_ */ |