src/patches/bash/bash32-034

   1                              BASH PATCH REPORT
   2                              =================
   3
   4 Bash-Release: 3.2
   5 Patch-ID: bash32-034
   6
   7 Bug-Reported-by:        Ian Campbell <ian.campbell@xensource.com>
   8 Bug-Reference-ID:       <EXCHPAFExU3l5bhn1ow00001dfe@rpc.xensource.com>
   9 Bug-Reference-URL:      http://lists.gnu.org/archive/html/bug-bash/2007-10/msg00060.html
  10
  11 Bug-Description:
  12
  13 The bash getcwd replacement will write past the end of allocated memory
  14 when it allocates the buffer itself if it uses the buffer size passed as
  15 an argument, and that size is less than the length of the pathname.
  16
  17 Patch:
  18
  19 *** ../bash-3.2-patched/lib/sh/getcwd.c 2004-07-21 17:15:19.000000000 -0400
  20 --- lib/sh/getcwd.c     2007-12-31 19:26:36.000000000 -0500
  21 ***************
  22 *** 252,268 ****
  23     {
  24       size_t len = pathbuf + pathsize - pathp;
  25       if (buf == NULL)
  26         {
  27 !       if (len < (size_t) size)
  28 !         len = size;
  29 !       buf = (char *) malloc (len);
  30         if (buf == NULL)
  31           goto lose2;
  32         }
  33 !     else if ((size_t) size < len)
  34 !       {
  35 !       errno = ERANGE;
  36 !       goto lose2;
  37 !       }
  38       (void) memcpy((PTR_T) buf, (PTR_T) pathp, len);
  39     }
  40 --- 287,305 ----
  41     {
  42       size_t len = pathbuf + pathsize - pathp;
  43 +     if (buf == NULL && size <= 0)
  44 +       size = len;
  45 +
  46 +     if ((size_t) size < len)
  47 +       {
  48 +       errno = ERANGE;
  49 +       goto lose2;
  50 +       }
  51       if (buf == NULL)
  52         {
  53 !       buf = (char *) malloc (size);
  54         if (buf == NULL)
  55           goto lose2;
  56         }
  57 !
  58       (void) memcpy((PTR_T) buf, (PTR_T) pathp, len);
  59     }
  60 *** ../bash-3.2/patchlevel.h    Thu Apr 13 08:31:04 2006
  61 --- patchlevel.h        Mon Oct 16 14:22:54 2006
  62 ***************
  63 *** 26,30 ****
  64      looks for to find the patch level (for the sccs version string). */
  65
  66 ! #define PATCHLEVEL 33
  67
  68   #endif /* _PATCHLEVEL_H_ */
  69 --- 26,30 ----
  70      looks for to find the patch level (for the sccs version string). */
  71
  72 ! #define PATCHLEVEL 34
  73
  74   #endif /* _PATCHLEVEL_H_ */