Brad Bishop | 37a0e4d | 2017-12-04 01:01:44 -0500 | [diff] [blame^] | 1 | From fa741771ed47b30547be63b5b5dbfb51977aca12 Mon Sep 17 00:00:00 2001 |
| 2 | From: Chet Ramey <chet.ramey@case.edu> |
| 3 | Date: Fri, 20 Jan 2017 11:47:31 -0500 |
| 4 | Subject: [PATCH] Bash-4.4 patch 6 |
| 5 | |
| 6 | Bug-Reference-URL: |
| 7 | https://lists.gnu.org/archive/html/bug-bash/2016-11/msg00116.html |
| 8 | |
| 9 | Reference to upstream patch: |
| 10 | https://ftp.gnu.org/pub/gnu/bash/bash-4.4-patches/bash44-006 |
| 11 | |
| 12 | Bug-Description: |
| 13 | Out-of-range negative offsets to popd can cause the shell to crash attempting |
| 14 | to free an invalid memory block. |
| 15 | |
| 16 | Upstream-Status: Backport |
| 17 | CVE: CVE-2016-9401 |
| 18 | Signed-off-by: Li Zhou <li.zhou@windriver.com> |
| 19 | --- |
| 20 | builtins/pushd.def | 7 ++++++- |
| 21 | 1 file changed, 6 insertions(+), 1 deletion(-) |
| 22 | |
| 23 | diff --git a/builtins/pushd.def b/builtins/pushd.def |
| 24 | index 9c6548f..8a13bae 100644 |
| 25 | --- a/builtins/pushd.def |
| 26 | +++ b/builtins/pushd.def |
| 27 | @@ -359,7 +359,7 @@ popd_builtin (list) |
| 28 | break; |
| 29 | } |
| 30 | |
| 31 | - if (which > directory_list_offset || (directory_list_offset == 0 && which == 0)) |
| 32 | + if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && which == 0)) |
| 33 | { |
| 34 | pushd_error (directory_list_offset, which_word ? which_word : ""); |
| 35 | return (EXECUTION_FAILURE); |
| 36 | @@ -381,6 +381,11 @@ popd_builtin (list) |
| 37 | remove that directory from the list and shift the remainder |
| 38 | of the list into place. */ |
| 39 | i = (direction == '+') ? directory_list_offset - which : which; |
| 40 | + if (i < 0 || i > directory_list_offset) |
| 41 | + { |
| 42 | + pushd_error (directory_list_offset, which_word ? which_word : ""); |
| 43 | + return (EXECUTION_FAILURE); |
| 44 | + } |
| 45 | free (pushd_directory_list[i]); |
| 46 | directory_list_offset--; |
| 47 | |
| 48 | -- |
| 49 | 1.9.1 |
| 50 | |