heap-buffer-overflow in history

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

heap-buffer-overflow in history_expand

From:	Grisha Levit
Subject:	heap-buffer-overflow in history_expand
Date:	Mon, 24 Apr 2023 01:40:59 -0400

The history expansion code can end up reading past the end of the
input line buffer if the line ends with an invalid multibyte sequence:

bash --norc -in <<<$'X\n\e238Y!!\xC2\xC2'
ERROR: AddressSanitizer: heap-buffer-overflow
READ of size 1 at 0x000108b48400 thread T0
    #0 0x104ed9c88 in history_expand histexpand.c:1129
    #1 0x104b761b0 in pre_process_line bashhist.c:570
    #2 0x10482a540 in shell_getc parse.y:2512

diff --git a/lib/readline/histexpand.c b/lib/readline/histexpand.c
index db344b49..425ea7cf 100644
--- a/lib/readline/histexpand.c
+++ b/lib/readline/histexpand.c
@@ -1121,7 +1121,7 @@ history_expand (const char *hstring, char **output)

          c = tchar;
          memset (mb, 0, sizeof (mb));
-         for (k = 0; k < MB_LEN_MAX; k++)
+         for (k = 0; k < MB_LEN_MAX && i < l; k++)
            {
              mb[k] = (char)c;
              memset (&ps, 0, sizeof (mbstate_t));

[Prev in Thread]

Current Thread

[Next in Thread]

heap-buffer-overflow in history_expand, Grisha Levit <=
- Re: heap-buffer-overflow in history_expand, Chet Ramey, 2023/04/28
  - Re: heap-buffer-overflow in history_expand, Grisha Levit, 2023/04/28
    - Re: heap-buffer-overflow in history_expand, Chet Ramey, 2023/04/29
    - Re: heap-buffer-overflow in history_expand, Grisha Levit, 2023/04/30

Prev by Date: Re: Error report - 3.5.3 Shell Parameter Expansion
Next by Date: jobs builtin inside SIGCHLD trap doesn't clean up terminated jobs
Previous by thread: Error report - 3.5.3 Shell Parameter Expansion
Next by thread: Re: heap-buffer-overflow in history_expand
Index(es):
- Date
- Thread