From: Eric Li <lixiaoyi13691419...@gmail.com>
To: bug-bash@gnu.org
Subject: Integer overflow of i in string_extract_verbatim
Configuration Information [Automatically generated, do not change]:
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -g -Og
uname output: Linux fedora 6.2.12-200.fc37.x86_64 #1 SMP
PREEMPT_DYNAMIC Thu Apr 20 23:38:29 UTC 2023 x86_64 x86_64 x86_64
GNU/Linux
Machine Type: x86_64-pc-linux-gnu
Bash Version: 5.2
Patch Level: 15
Release Status: release
Description:
Bash runs into segmentation fault when spawning a process with
argc larger than 2GB. Can debug using GDB and observe that
subst.c:1204 (string_extract_verbatim, "while (c =
string[i])")
crashes because i = -2147483648. string[i] points to invalid
memory.
Repeat-By:
1. Put the following shell script to a.sh:
A='aaaaaaaaaaaaaaaaaaaaaaaa'
A="$A$A$A$A"
A="$A$A$A$A"
A="$A$A$A$A"
A="$A$A$A$A"
A="$A$A$A$A"
A="$A$A$A$A"
A="$A$A$A$A"
A="$A$A$A$A"
A="$A$A$A$A"
A="$A$A$A$A"
A="$A$A$A$A"
set -o pipefail
echo $A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A | wc
echo $?
echo done
2. Run "./bash a.sh"
3. See
a.sh: line 15: ... Segmentation fault (core dumped)
4. Use the following command to debug with GDB
gdb ./bash --ex 'set follow-fork-mode child' --ex 'r a.sh'
5. See GDB output similar to following:
Thread 2.1 "bash" received signal SIGSEGV, Segmentation fault.
... in string_extract_verbatim (...) at subst.c:1204
1204 while (c = string[i])
6. Using GDB, can see that i = -2147483648.
Fix:
In string_extract_verbatim, change "int i" to "size_t i".
Also need to change other places, including:
* Argument sindex of string_extract_verbatim
* Variable sindex of get_word_from_string
* Variable sindex of get_word_from_string
* Argument sindex of string_extract_single_quoted
* ...
