7 Bug-Reported-by: Ian Campbell <ian.campbell@xensource.com>
8 Bug-Reference-ID: <EXCHPAFExU3l5bhn1ow00001dfe@rpc.xensource.com>
9 Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2007-10/msg00060.html
13 The bash getcwd replacement will write past the end of allocated memory
14 when it allocates the buffer itself if it uses the buffer size passed as
15 an argument, and that size is less than the length of the pathname.
19 *** ../bash-3.2-patched/lib/sh/getcwd.c 2004-07-21 17:15:19.000000000 -0400
20 --- lib/sh/getcwd.c 2007-12-31 19:26:36.000000000 -0500
24 size_t len = pathbuf + pathsize - pathp;
27 ! if (len < (size_t) size)
29 ! buf = (char *) malloc (len);
33 ! else if ((size_t) size < len)
38 (void) memcpy((PTR_T) buf, (PTR_T) pathp, len);
42 size_t len = pathbuf + pathsize - pathp;
43 + if (buf == NULL && size <= 0)
46 + if ((size_t) size < len)
53 ! buf = (char *) malloc (size);
58 (void) memcpy((PTR_T) buf, (PTR_T) pathp, len);
60 *** ../bash-3.2/patchlevel.h Thu Apr 13 08:31:04 2006
61 --- patchlevel.h Mon Oct 16 14:22:54 2006
64 looks for to find the patch level (for the sccs version string). */
66 ! #define PATCHLEVEL 33
68 #endif /* _PATCHLEVEL_H_ */
70 looks for to find the patch level (for the sccs version string). */
72 ! #define PATCHLEVEL 34
74 #endif /* _PATCHLEVEL_H_ */