--lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=us-ascii On Fri, Sep 04, 1998 at 04:09:28PM +0000, Joao Manuel Carolino wrote: > If you cd in to a directory which has a path name larger than 1024 bytes > and you have '\w' included in your PS1 environment variable (which makes > the path to the current working directory appear in each command line > prompt), a buffer overflow will occur. > The following was tested on my machine, running Slackware 3.5: > > einstein:~# gdb bash [...] Setting PS1 to any long string will have the same effect. This is a bug in libreadline (more precisely, in rl_redisplay() in .../lib/readline/display.c), and it is still present in bash-2.02.1. AFAIK, it has been reported to the maintainer several weeks ago. -- Michael "Tired" Riepe <Michael.Riepeat_private-hannover.de> "All I wanna do is have a little fun before I die" --lrZ03NoBR/3+SXJZ Content-Type: text/plain; charset=us-ascii Content-Description: fix for readline line buffer overflow Content-Disposition: attachment; filename="bash-2.02.1-fix.diff" diff -ru bash-2.02.1.orig/lib/readline/display.c bash-2.02.1/lib/readline/display.c --- bash-2.02.1.orig/lib/readline/display.c Sat Sep 5 14:51:29 1998 +++ bash-2.02.1/lib/readline/display.c Sat Sep 5 15:08:57 1998 @@ -307,6 +307,20 @@ } } +static void +_rl_extend_buffers (int max_size) +{ + if (max_size >= line_size) + { + while (max_size >= line_size) + { + line_size *= 2; + } + visible_line = xrealloc (visible_line, line_size); + invisible_line = xrealloc (invisible_line, line_size); + } +} + /* Basic redisplay algorithm. */ void rl_redisplay () @@ -373,6 +387,8 @@ if (local_len > 0) { + _rl_extend_buffers(out + local_len); + line = invisible_line; strncpy (line + out, local_prompt, local_len); out += local_len; } @@ -399,6 +415,8 @@ } pmtlen = strlen (prompt_this_line); + _rl_extend_buffers(out + pmtlen); + line = invisible_line; strncpy (line + out, prompt_this_line, pmtlen); out += pmtlen; line[out] = '\0'; @@ -440,13 +458,8 @@ { c = (unsigned char)rl_line_buffer[in]; - if (out + 8 >= line_size) /* XXX - 8 for \t */ - { - line_size *= 2; - visible_line = xrealloc (visible_line, line_size); - invisible_line = xrealloc (invisible_line, line_size); - line = invisible_line; - } + _rl_extend_buffers(out + 8); /* XXX - 8 for \t */ + line = invisible_line; if (in == rl_point) { --lrZ03NoBR/3+SXJZ--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:08 PDT