I found another null ptr deref and segfault. This only seems to affect bash
4.4.0 as 4.2.37(1)-release and 4.2.37(1)-release only return a 'bad
substitution' error message.
bash -c '${!a@a}'
Program received signal SIGSEGV, Segmentation fault.
0x00000000005d36b7 in parameter_brace_transform.isra.17 () at subst.c:6827
6827 vname = parameter_brace_find_indir (varname+1, SPECIAL_VAR
(varname, 1), quoted, 1);
(gdb) bt
#0 0x00000000005d36b7 in parameter_brace_transform.isra.17 () at
subst.c:6827
#1 0x000000000059f65d in parameter_brace_expand () at subst.c:8020
#2 0x00000000005a1eec in param_expand () at subst.c:8384
#3 0x00000000005c1650 in expand_word_list_internal () at subst.c:8936
#4 0x00000000004a9965 in execute_simple_command () at execute_cmd.c:4079
#5 0x00000000004b497e in execute_command_internal () at execute_cmd.c:813
#6 0x00000000004bcf1d in execute_command () at execute_cmd.c:416
#7 0x00000000004317e0 in reader_loop ()
#8 0x0000000000429bdb in main () at shell.c:767
==40990== Invalid read of size 1
==40990== at 0x5D36B7: get_var_and_type (subst.c:6827)
==40990== by 0x5D36B7: parameter_brace_transform.isra.17 (subst.c:4937)
==40990== by 0x59F65C: parameter_brace_expand (subst.c:8020)
==40990== by 0x5A1EEB: param_expand (subst.c:8384)
==40990== by 0x5C164F: expand_word_internal (subst.c:8936)
==40990== by 0x5C164F: shell_expand_word_list (subst.c:10177)
==40990== by 0x5C164F: expand_word_list_internal (subst.c:10300)
==40990== by 0x4A9964: execute_simple_command (execute_cmd.c:4079)
==40990== by 0x4B497D: execute_command_internal (execute_cmd.c:813)
==40990== by 0x6B5D61: parse_and_execute (evalstring.c:413)
==40990== by 0x41F7A4: run_one_command (shell.c:1374)
==40990== by 0x4295A9: main (shell.c:699)
==40990== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==40990==
==40990== Process terminating with default action of signal 11 (SIGSEGV)
==40990== Access not within mapped region at address 0x0
==40990== at 0x5D36B7: get_var_and_type (subst.c:6827)
==40990== by 0x5D36B7: parameter_brace_transform.isra.17 (subst.c:4937)
==40990== by 0x59F65C: parameter_brace_expand (subst.c:8020)
==40990== by 0x5A1EEB: param_expand (subst.c:8384)
==40990== by 0x5C164F: expand_word_internal (subst.c:8936)
==40990== by 0x5C164F: shell_expand_word_list (subst.c:10177)
==40990== by 0x5C164F: expand_word_list_internal (subst.c:10300)
==40990== by 0x4A9964: execute_simple_command (execute_cmd.c:4079)
==40990== by 0x4B497D: execute_command_internal (execute_cmd.c:813)
==40990== by 0x6B5D61: parse_and_execute (evalstring.c:413)
==40990== by 0x41F7A4: run_one_command (shell.c:1374)
==40990== by 0x4295A9: main (shell.c:699)
==40990== If you believe this happened as a result of a stack
==40990== overflow in your program's main thread (unlikely but
==40990== possible), you can try to increase the size of the
==40990== main thread stack using the --main-stacksize= flag.
==40990== The main thread stack size used in this run was 8388608.
Segmentation fault
Regards,
Brian 'geeknik' Carpenter
