Configuration Information [Automatically generated, do not change]:
Machine: i686
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='i686'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='i686-pc-linux-gnu'
-DCONF_VENDOR='pc' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL
-DHAVE_CONFIG_H -I. -I. -I./include -I./lib -march=i686 -mtune=generic -O2
-pipe -ggdb
uname output: Linux helios 2.6.31-ARCH #1 SMP PREEMPT Sat Sep 26 02:39:09 CEST
2009 i686 AMD Athlon(tm) XP 2600+ AuthenticAMD GNU/Linux
Machine Type: i686-pc-linux-gnu
Bash Version: 4.0
Patch Level: 33
Release Status: release
Description:
When bash_dequote_filename() is called with text ending with a
backslash and double quote as quote_char, it writes beyond the memory
allocated for ret, thus corrupting memory.
Repeat-By:
This was originally reported as bash crashing when trying to
tab-complete:
wine "c:\windows\
I can replicate this behaviour on my i686 system.
Fix:
bash_dequote_filename() checks if *p is '\0' after writing it to r and
later writes another '\0' behind that. Move the check before the write:
--- bash-4.0.orig/bashline.c 2009-10-04 15:06:46.000000000 +0200
+++ bash-4.0/bashline.c 2009-10-04 15:07:03.000000000 +0200
@@ -3223,9 +3223,9 @@ bash_dequote_filename (text, quote_char)
else if (quoted == '"' && ((sh_syntaxtab[p[1]] & CBSDQUOTE) == 0))
*r++ = *p;
- *r++ = *++p;
- if (*p == '\0')
+ if (*++p == '\0')
break;
+ *r++ = *p;
continue;
}
/* Close quote. */
