Re: Integer overflow in command substitution

2017-11-16 Thread Eduardo A . Bustamante López 
On Thu, Nov 16, 2017 at 06:50:59AM -0500, Siteshwar Vashisht wrote:
[...]
> Bash Version: 4.4
> Patch Level: 12
> Release Status: release
> 
> Repeat-By:
> $ bash -c 'true $(yes )'
> bash: xrealloc: cannot allocate 18446744071562067968 bytes

Interesting! I think this might explain the behavior reported in:
  https://lists.nongnu.org/archive/html/bug-bash/2017-11/msg00051.html

Integer overflow in command substitution

2017-11-16 Thread Siteshwar Vashisht 
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64' 
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-redhat-linux-gnu' 
-DCONF_VENDOR='redhat' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL 
-DHAVE_CONFIG_H   -I.  -I. -I./include -I./lib  -D_GNU_SOURCE -DRECYCLES_PIDS 
-DDEFAULT_PATH_VALUE='/usr/local/bin:/usr/bin'  -O2 -g -pipe -Wall 
-Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions 
-fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches 
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic 
-Wno-parentheses -Wno-format-security
uname output: Linux localhost.localdomain 4.13.12-200.fc26.x86_64 #1 SMP Wed 
Nov 8 16:47:26 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Machine Type: x86_64-redhat-linux-gnu

Bash Version: 4.4
Patch Level: 12
Release Status: release

Repeat-By:
$ bash -c 'true $(yes )'
bash: xrealloc: cannot allocate 18446744071562067968 bytes

Fix:
Attached patch fixes this issue.

-- 
--
Siteshwar Vashisht
From a91b113be8fca1a38b2b7f67be11039f3efd44e3 Mon Sep 17 00:00:00 2001
From: Siteshwar Vashisht 
Date: Thu, 16 Nov 2017 12:18:00 +0100
Subject: [PATCH] Avoid integer overflow while allocating memory in
 read_comsub() function


diff --git a/subst.c b/subst.c
index eb855e9d..e48524e5 100644
--- a/subst.c
+++ b/subst.c
@@ -5803,7 +5803,8 @@ read_comsub (fd, quoted, flags, rflag)
  int *rflag;
 {
   char *istring, buf[128], *bufp, *s;
-  int istring_index, istring_size, c, tflag, skip_ctlesc, skip_ctlnul;
+  size_t istring_size, istring_index;
+  int c, tflag, skip_ctlesc, skip_ctlnul;
   ssize_t bufn;
   int nullbyte;
 
-- 
2.13.6