[7893] in bugtraq
Re: Buffer overflow in bash 1.14.7(1)
daemon@ATHENA.MIT.EDU (Michael Riepe)
Sat Sep 5 20:07:15 1998
Date: Sat, 5 Sep 1998 16:31:03 +0200
Reply-To: Michael Riepe <michael@STUD.UNI-HANNOVER.DE>
From: Michael Riepe <michael@STUD.UNI-HANNOVER.DE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.980904151609.1385A-100000@einstein.dhis.eu.org>;
from Joao Manuel Carolino on Fri, Sep 04, 1998 at 04:09:28PM +0000
--lrZ03NoBR/3+SXJZ
Content-Type: text/plain; charset=us-ascii
On Fri, Sep 04, 1998 at 04:09:28PM +0000, Joao Manuel Carolino wrote:
> If you cd in to a directory which has a path name larger than 1024 bytes
> and you have '\w' included in your PS1 environment variable (which makes
> the path to the current working directory appear in each command line
> prompt), a buffer overflow will occur.
> The following was tested on my machine, running Slackware 3.5:
>
> einstein:~# gdb bash
[...]
Setting PS1 to any long string will have the same effect.
This is a bug in libreadline (more precisely, in rl_redisplay() in
.../lib/readline/display.c), and it is still present in bash-2.02.1.
AFAIK, it has been reported to the maintainer several weeks ago.
--
Michael "Tired" Riepe <Michael.Riepe@stud.uni-hannover.de>
"All I wanna do is have a little fun before I die"
--lrZ03NoBR/3+SXJZ
Content-Type: text/plain; charset=us-ascii
Content-Description: fix for readline line buffer overflow
Content-Disposition: attachment; filename="bash-2.02.1-fix.diff"
diff -ru bash-2.02.1.orig/lib/readline/display.c bash-2.02.1/lib/readline/display.c
--- bash-2.02.1.orig/lib/readline/display.c Sat Sep 5 14:51:29 1998
+++ bash-2.02.1/lib/readline/display.c Sat Sep 5 15:08:57 1998
@@ -307,6 +307,20 @@
}
}
+static void
+_rl_extend_buffers (int max_size)
+{
+ if (max_size >= line_size)
+ {
+ while (max_size >= line_size)
+ {
+ line_size *= 2;
+ }
+ visible_line = xrealloc (visible_line, line_size);
+ invisible_line = xrealloc (invisible_line, line_size);
+ }
+}
+
/* Basic redisplay algorithm. */
void
rl_redisplay ()
@@ -373,6 +387,8 @@
if (local_len > 0)
{
+ _rl_extend_buffers(out + local_len);
+ line = invisible_line;
strncpy (line + out, local_prompt, local_len);
out += local_len;
}
@@ -399,6 +415,8 @@
}
pmtlen = strlen (prompt_this_line);
+ _rl_extend_buffers(out + pmtlen);
+ line = invisible_line;
strncpy (line + out, prompt_this_line, pmtlen);
out += pmtlen;
line[out] = '\0';
@@ -440,13 +458,8 @@
{
c = (unsigned char)rl_line_buffer[in];
- if (out + 8 >= line_size) /* XXX - 8 for \t */
- {
- line_size *= 2;
- visible_line = xrealloc (visible_line, line_size);
- invisible_line = xrealloc (invisible_line, line_size);
- line = invisible_line;
- }
+ _rl_extend_buffers(out + 8); /* XXX - 8 for \t */
+ line = invisible_line;
if (in == rl_point)
{
--lrZ03NoBR/3+SXJZ--
