signed integer overflow ipow() bash/expr.c:954:12

[anushakov--- via Bug reports for the GNU Bourne Again SHell]

   Dear Bash Maintainers,

   I encountered an issue in Bash and would like to report it. crash3.txt
   is attached to the email.
   Steps to reproduce
   $
   export UBSAN_OPTIONS=halt_on_error=1,abort_on_error=1,print_stacktrace=
   true,symbolize=true,print_stacktrace=1,report_error_type=1,symbolize=1
   $ CC=clang-19 CFLAGS=" -g -fsanitize=undefined " ./configure
   --enable-largefile --without-bash-malloc
   $ make
   $ ./bash crash3.txt

   Expected Behaviour
   Any messages without ubsan ERROR.

   Actual Behaviour

   expr.c:954:12: runtime error: signed integer overflow: 4294967296 *
   4294967296 cannot be represented in type 'intmax_t' (aka 'long')
       #0 0x617b39d06378 in ipow /upstream/bash/expr.c:954:12
       #1 0x617b39d0617b in exppower /upstream/bash/expr.c:976:11
       #2 0x617b39d05db7 in expmuldiv /upstream/bash/expr.c:892:10
       #3 0x617b39d05cb4 in expaddsub /upstream/bash/expr.c:866:10
       #4 0x617b39d05bb4 in expshift /upstream/bash/expr.c:842:10
       #5 0x617b39d05ab4 in expcompare /upstream/bash/expr.c:812:10
       #6 0x617b39d05a04 in expeq /upstream/bash/expr.c:790:10
       #7 0x617b39d059a4 in expband /upstream/bash/expr.c:772:10
       #8 0x617b39d05944 in expbxor /upstream/bash/expr.c:753:10
       #9 0x617b39d058e4 in expbor /upstream/bash/expr.c:734:10
       #10 0x617b39d057e4 in expland /upstream/bash/expr.c:707:10
       #11 0x617b39d056e4 in explor /upstream/bash/expr.c:679:10
       #12 0x617b39d0524b in expcond /upstream/bash/expr.c:632:17
       #13 0x617b39d04cd7 in expassign /upstream/bash/expr.c:516:11
       #14 0x617b39d03364 in expcomma /upstream/bash/expr.c:496:11
       #15 0x617b39d010f0 in subexpr /upstream/bash/expr.c:478:9
       #16 0x617b39d0079c in evalexp /upstream/bash/expr.c:444:9
       #17 0x617b39d7e26b in param_expand /upstream/bash/subst.c:10986:13
       #18 0x617b39d5fab3 in expand_word_internal
   /upstream/bash/subst.c:11641:12
       #19 0x617b39d63c81 in expand_word_internal
   /upstream/bash/subst.c:11835:15
       #20 0x617b39da56e2 in shell_expand_word_list
   /upstream/bash/subst.c:13204:18
       #21 0x617b39d74120 in expand_word_list_internal
   /upstream/bash/subst.c:13371:14
       #22 0x617b39d74021 in expand_words /upstream/bash/subst.c:12699:11
       #23 0x617b39cadc15 in execute_simple_command
   /upstream/bash/execute_cmd.c:4649:15
       #24 0x617b39ca7aa8 in execute_command_internal
   /upstream/bash/execute_cmd.c:967:4
       #25 0x617b39ca58be in execute_command
   /upstream/bash/execute_cmd.c:474:12
       #26 0x617b39c43c9a in reader_loop /upstream/bash/eval.c:183:8
       #27 0x617b39c3ccac in main /upstream/bash/shell.c:834:3
       #28 0x784d2660a249 in __libc_start_call_main
   csu/../sysdeps/nptl/libc_start_call_main.h:58:16
       #29 0x784d2660a304 in __libc_start_main
   csu/../csu/libc-start.c:360:3
       #30 0x617b39c100b0 in _start (/upstream/bash/bash+0x25f0b0)
   (BuildId: d56b74b1adb95f5b4f34a84de6113a58d15d3a85)

   SUMMARY: UndefinedBehaviorSanitizer: signed-integer-overflow
   expr.c:954:12

   Bash Version
   commit
   2cdb2f9b314525a118eff5237839ccc272c2e32b
   [1]root@fc5d05699037:/upstream/bash# ./bash --version
   [2]GNU bash, version 5.3.0(2)-maint (x86_64-pc-linux-gnu)
   [3]Copyright (C) 2025 Free Software Foundation, Inc.
   [4]License GPLv3+: GNU GPL version 3 or later
   <http://gnu.org/licenses/gpl.html>

   [5]This is free software; you are free to change and redistribute it.
   [6]There is NO WARRANTY, to the extent permitted by law.
   Also, the behaviour is repeating on release bash 5.2 version.

   System Info
   Linux astra 6.1.90-1-generic #astra2+ci15 SMP PREEMPT_DYNAMIC Tue Jul
   23 09:49:19 MSK 2024 x86_64 GNU/Linux
   Debian clang version 19.1.4 (1~deb12u1)
   Target: x86_64-pc-linux-gnu
   Thread model: posix
   InstalledDir: /usr/lib/llvm-19/bin

References

   1. mailto:root@fb1d7dcac77a
   2. mailto:root@fb1d7dcac77a
   3. mailto:root@fb1d7dcac77a
   4. mailto:root@fb1d7dcac77a
   5. mailto:root@fb1d7dcac77a
   6. mailto:root@fb1d7dcac77a

1000
a
end-1
a
end-2
a:x
end-a"b:x
end-b
c:x
end-c
end-3
a:x
end
a
b
c
end-1
a
b
c
end-2
a:x
a:y
a:z
end-a
b:x
b:y
b:z
end-b
c:x
c:y
c:z
end-c
end-3
a:x
b:x
c:x
end
$BVAR
$BVAR
$BVAR
$BVAR
foo
bar
xxx
0022
u=rwx,g=rx,o=rx
0002
u=rwx,g=r=rx
umask002
umask -S u=rwx,g=rwx$_,o=rx
u=rwx,g=rwx,o=rwx
enable .
enable :
enable break
enable continue
enable eval
enable exec
enable exit
enable export
enable readonly
enable render the terms of the Gturn
enable set
enable shift
enable source
eax_min2=$((-2**63))

casenable ua"b:xenable .
enable :
enable break
enable continue
enable eval
enable exec
enable exit
enable export
enable readonly
enable return
enable set
enable shift
enable source
enable times
enable trap
enable unset
enable -n test worked
enable test worked
specialname
-specialname
FOO=BAR
FOO=BAR
hash: hash table empty
0
AVARd-b
c:x
end-c
end-3
a:x

foo
in source.sub2, calling retab@
a e: