| From fa741771ed47b30547be63b5b5dbfb51977aca12 Mon Sep 17 00:00:00 2001 |
| From: Chet Ramey <chet.ramey@case.edu> |
| Date: Fri, 20 Jan 2017 11:47:31 -0500 |
| Subject: [PATCH] Bash-4.4 patch 6 |
| |
| Bug-Reference-URL: |
| https://lists.gnu.org/archive/html/bug-bash/2016-11/msg00116.html |
| |
| Reference to upstream patch: |
| https://ftp.gnu.org/pub/gnu/bash/bash-4.4-patches/bash44-006 |
| |
| Bug-Description: |
| Out-of-range negative offsets to popd can cause the shell to crash attempting |
| to free an invalid memory block. |
| |
| Upstream-Status: Backport |
| CVE: CVE-2016-9401 |
| Signed-off-by: Li Zhou <li.zhou@windriver.com> |
| --- |
| builtins/pushd.def | 7 ++++++- |
| 1 file changed, 6 insertions(+), 1 deletion(-) |
| |
| diff --git a/builtins/pushd.def b/builtins/pushd.def |
| index 9c6548f..8a13bae 100644 |
| --- a/builtins/pushd.def |
| +++ b/builtins/pushd.def |
| @@ -359,7 +359,7 @@ popd_builtin (list) |
| break; |
| } |
| |
| - if (which > directory_list_offset || (directory_list_offset == 0 && which == 0)) |
| + if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && which == 0)) |
| { |
| pushd_error (directory_list_offset, which_word ? which_word : ""); |
| return (EXECUTION_FAILURE); |
| @@ -381,6 +381,11 @@ popd_builtin (list) |
| remove that directory from the list and shift the remainder |
| of the list into place. */ |
| i = (direction == '+') ? directory_list_offset - which : which; |
| + if (i < 0 || i > directory_list_offset) |
| + { |
| + pushd_error (directory_list_offset, which_word ? which_word : ""); |
| + return (EXECUTION_FAILURE); |
| + } |
| free (pushd_directory_list[i]); |
| directory_list_offset--; |
| |
| -- |
| 1.9.1 |
| |