introduced with
http://git.savannah.gnu.org/cgit/bash.git/commit/lib/sh/unicode.c?id=495aee44
builtin echo -e
through ansictr(), and u32cconv() may end up calling wctomb(). however
this function may return -1 when it can not be converted into a
multibyte sequence. This value is then returrned to its callers, and
interpreted as the amount of bytes consumed. (r += u32cconv(v, r)).
This creates some corruption which is almost certain to result at
least in a crash.
poc:
env -i bash
echo -e "\uaaaa+"
or more amusing:
echo -e "Y\u1d52\u1d58 O\u1db0\u02e1\u02b8 L\u1da4\u1d5b\u1d49
O\u1db0\u1d9c\u1d49"
I didn't spend too much time analyzing the code, but below is my quick
fix to at least prevent bash from crashing.
please cc, i'm not subscribed
diff --git a/lib/sh/unicode.c b/lib/sh/unicode.c
index d34fa08..7215960 100644
--- a/lib/sh/unicode.c
+++ b/lib/sh/unicode.c
@@ -163,7 +163,7 @@ u32cconv (c, s)
if (sizeof (wchar_t) == 4)
{
n = wctomb (s, wc);
- return n;
+ return (n == -1) ? 0 : n;
}
#endif
