COMP_WORDBREAKS and shopt hostcomplete cause crash

Sun, 09 Nov 2008 13:17:27 -0800 

Configuration Information [Automatically generated, do not change]:
Machine: i486
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='i486' 
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='i486-pc-linux-gnu' 
-DCONF_VENDOR='pc' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL 
-DHAVE_CONFIG_H   -I.  -I../bash -I../bash/include -I../bash/lib   -g -O2 -Wall
uname output: Linux kvm1 2.6.27-7-generic #1 SMP Tue Nov 4 19:33:20 UTC 2008 
i686 GNU/Linux
Machine Type: i486-pc-linux-gnu

Bash Version: 3.2
Patch Level: 39
Release Status: release

Description:
        get_comp_wordbreaks() in variables.c records the value of
        rl_completer_word_break_characters into the COMP_WORDBREAKS
        variable value field.  But enable_hostname_completion() frees it
        and allocates new memory for rl_completer_word_break_characters
        without updating the COMP_WORDBREAKS variable value field.
        Eventually shell_reinitialize is used and calls
        delete_all_contexts(shell_variables), freeing the COMP_WORDBREAKS
        value memory a second time.  That can happen when the shell
        is running a shell script that doesn't have a "#!/bin/bash" line.
        The corruption causes a shell crash or hang.  The exact results
        depend on what (if any) unfortunate code allocated the freed memory
        before the extra call to free it.

Repeat-By:
        $ echo date > btest.sh; chmod +x btest.sh
        $ /bin/bash -c 'shopt -u hostcomplete;echo $COMP_WORDBREAKS;shopt -s 
hostcomplete;exec ./btest.sh'
        "'><=;|&(:

        malloc: ../bash/variables.c:2296: assertion botched
        free: called with already freed block argument
        Aborting...Aborted

Fix:
        Make a copy of the rl_completer_word_break_characters value instead of
        using the original address.

diff --git a/variables.c b/variables.c
index 072a590..e9705ba 100644
--- a/variables.c
+++ b/variables.c
@@ -1314,7 +1314,8 @@ get_comp_wordbreaks (var)
   if (rl_completer_word_break_characters == 0 && bash_readline_initialized == 
0)
     enable_hostname_completion (perform_hostname_completion);
 
-  var_setvalue (var, rl_completer_word_break_characters);
+  FREE (value_cell (var));
+  var_setvalue (var, savestring (rl_completer_word_break_characters));
 
   return (var);
 }


-- 
Mike Stroyan <[EMAIL PROTECTED]>

Reply via email to