Re: Buffer overflow in bash 1.14.7(1)

From: Michael Riepe (michaelat_private-HANNOVER.DE)
Date: Sat Sep 05 1998 - 07:31:03 PDT

Next message: Wichert Akkerman: "Re: Buffer overflow in bash 1.14.7(1)"

Previous message: //Stany: "Re: Buffer overflow in bash 1.14.7(1)"
Maybe in reply to: Joao Manuel Carolino: "Buffer overflow in bash 1.14.7(1)"
Next in thread: Wichert Akkerman: "Re: Buffer overflow in bash 1.14.7(1)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--lrZ03NoBR/3+SXJZ
Content-Type: text/plain; charset=us-ascii

On Fri, Sep 04, 1998 at 04:09:28PM +0000, Joao Manuel Carolino wrote:
> If you cd in to a directory which has a path name larger than 1024 bytes
> and you have '\w' included in your PS1 environment variable (which makes
> the path to the current working directory appear in each command line
> prompt), a buffer overflow will occur.
> The following was tested on my machine, running Slackware 3.5:
>
> einstein:~# gdb bash
[...]

Setting PS1 to any long string will have the same effect.
This is a bug in libreadline (more precisely, in rl_redisplay() in
.../lib/readline/display.c), and it is still present in bash-2.02.1.
AFAIK, it has been reported to the maintainer several weeks ago.

--
 Michael "Tired" Riepe <Michael.Riepeat_private-hannover.de>
 "All I wanna do is have a little fun before I die"

--lrZ03NoBR/3+SXJZ
Content-Type: text/plain; charset=us-ascii
Content-Description: fix for readline line buffer overflow
Content-Disposition: attachment; filename="bash-2.02.1-fix.diff"

diff -ru bash-2.02.1.orig/lib/readline/display.c bash-2.02.1/lib/readline/display.c
--- bash-2.02.1.orig/lib/readline/display.c     Sat Sep  5 14:51:29 1998
+++ bash-2.02.1/lib/readline/display.c  Sat Sep  5 15:08:57 1998
@@ -307,6 +307,20 @@
     }
 }

+static void
+_rl_extend_buffers (int max_size)
+{
+  if (max_size >= line_size)
+    {
+      while (max_size >= line_size)
+       {
+         line_size *= 2;
+       }
+      visible_line = xrealloc (visible_line, line_size);
+      invisible_line = xrealloc (invisible_line, line_size);
+    }
+}
+
 /* Basic redisplay algorithm. */
 void
 rl_redisplay ()
@@ -373,6 +387,8 @@

       if (local_len > 0)
        {
+         _rl_extend_buffers(out + local_len);
+         line = invisible_line;
          strncpy (line + out, local_prompt, local_len);
          out += local_len;
        }
@@ -399,6 +415,8 @@
        }

       pmtlen = strlen (prompt_this_line);
+      _rl_extend_buffers(out + pmtlen);
+      line = invisible_line;
       strncpy (line + out,  prompt_this_line, pmtlen);
       out += pmtlen;
       line[out] = '\0';
@@ -440,13 +458,8 @@
     {
       c = (unsigned char)rl_line_buffer[in];

-      if (out + 8 >= line_size)                /* XXX - 8 for \t */
-       {
-         line_size *= 2;
-         visible_line = xrealloc (visible_line, line_size);
-         invisible_line = xrealloc (invisible_line, line_size);
-         line = invisible_line;
-       }
+      _rl_extend_buffers(out + 8);     /* XXX - 8 for \t */
+      line = invisible_line;

       if (in == rl_point)
        {

--lrZ03NoBR/3+SXJZ--

Next message: Wichert Akkerman: "Re: Buffer overflow in bash 1.14.7(1)"
Previous message: //Stany: "Re: Buffer overflow in bash 1.14.7(1)"
Maybe in reply to: Joao Manuel Carolino: "Buffer overflow in bash 1.14.7(1)"
Next in thread: Wichert Akkerman: "Re: Buffer overflow in bash 1.14.7(1)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:15:08 PDT