165243 – crash from missing check for invalid multibyte strings when setting $IFS

Bug 165243 - crash from missing check for invalid multibyte strings when setting $IFS

Summary: crash from missing check for invalid multibyte strings when setting $IFS

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	bash
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Tim Waugh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-08-05 19:32 UTC by Elliot Lee
Modified:	2007-12-11 10:50 UTC (History)
CC List:	0 users
Fixed In Version:	3.0-33
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	539536 (view as bug list)
Environment:
Last Closed:	2005-08-08 15:09:18 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Test case (22 bytes, text/plain) 2005-08-05 19:34 UTC, Elliot Lee	no flags	Details
View All

Description Elliot Lee 2005-08-05 19:32:31 UTC

Line 6954 of subst.c, in the setifs function:

  if (!ifs_value)
    {
      ifs_firstc[0] = '\0';
      ifs_firstc_len = 1;
    }
  else
    {
      size_t ifs_len = strnlen (ifs_value, MB_CUR_MAX);
      ifs_firstc_len = mblen (ifs_value, ifs_len);
      memcpy (ifs_firstc, ifs_value, ifs_firstc_len);
    }

If the ifs_value string is not a valid multibyte string, mblen may return -1.
The subsequent memcpy causes a crash.

I'm not sure what the right outcome is, but crashing is not it :)

Comment 1 Elliot Lee 2005-08-05 19:34:31 UTC

Created attachment 117500 [details]
Test case

The test case and bug info courtesy of Derek Pomery <nemo>

Comment 3 Tim Waugh 2005-08-08 15:09:18 UTC

Should be fixed in bash-3.0-33.  Thanks for the report.

Note You need to log in before you can comment on or make changes to this bug.