Bug 165243 - crash from missing check for invalid multibyte strings when setting $IFS
crash from missing check for invalid multibyte strings when setting $IFS
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: bash (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-08-05 15:32 EDT by Elliot Lee
Modified: 2007-12-11 05:50 EST (History)
0 users

See Also:
Fixed In Version: 3.0-33
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 539536 (view as bug list)
Environment:
Last Closed: 2005-08-08 11:09:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Test case (22 bytes, text/plain)
2005-08-05 15:34 EDT, Elliot Lee
no flags Details

  None (edit)
Description Elliot Lee 2005-08-05 15:32:31 EDT
Line 6954 of subst.c, in the setifs function:

  if (!ifs_value)
    {
      ifs_firstc[0] = '\0';
      ifs_firstc_len = 1;
    }
  else
    {
      size_t ifs_len = strnlen (ifs_value, MB_CUR_MAX);
      ifs_firstc_len = mblen (ifs_value, ifs_len);
      memcpy (ifs_firstc, ifs_value, ifs_firstc_len);
    }

If the ifs_value string is not a valid multibyte string, mblen may return -1.
The subsequent memcpy causes a crash.

I'm not sure what the right outcome is, but crashing is not it :)
Comment 1 Elliot Lee 2005-08-05 15:34:31 EDT
Created attachment 117500 [details]
Test case

The test case and bug info courtesy of Derek Pomery <nemo@m8y.org>
Comment 3 Tim Waugh 2005-08-08 11:09:18 EDT
Should be fixed in bash-3.0-33.  Thanks for the report.

Note You need to log in before you can comment on or make changes to this bug.