7
Bug-Reported-by: "Dashing" <dashing@hushmail.com>
8
Bug-Reference-ID: <20130211175049.D90786F446@smtp.hushmail.com>
9
Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2013-02/msg00030.html
13
When converting a multibyte string to a wide character string as part of
14
pattern matching, bash does not handle the end of the string correctly,
15
causing the search for the NUL to go beyond the end of the string and
16
reference random memory. Depending on the contents of that memory, bash
17
can produce errors or crash.
19
Patch (apply with `patch -p0'):
21
Index: b/bash/lib/glob/xmbsrtowcs.c
22
===================================================================
23
--- a/bash/lib/glob/xmbsrtowcs.c
24
+++ b/bash/lib/glob/xmbsrtowcs.c
26
It may set 'p' to NULL. */
27
n = mbsnrtowcs(wsbuf+wcnum, &p, nms, wsbuf_size-wcnum, &state);
29
+ if (n == 0 && p == 0)
31
+ wsbuf[wcnum] = L'\0';
35
/* Compensate for taking single byte on wcs conversion failure above. */
36
if (wcslength == 1 && (n == 0 || n == (size_t)-1))
40
- wsbuf[wcnum++] = *p++;
51
Index: b/bash/patchlevel.h
52
===================================================================
53
--- a/bash/patchlevel.h
54
+++ b/bash/patchlevel.h
56
regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh
57
looks for to find the patch level (for the sccs version string). */
59
-#define PATCHLEVEL 43
60
+#define PATCHLEVEL 44
62
#endif /* _PATCHLEVEL_H_ */