Bash parser infinite loop in yy_getc

Mon, 08 May 2017 09:13:45 -0700 

The parser goes into an infinite loop with the following input:

dualbus@debian:~/bash-fuzzing/bash-parser$ cat -v
output/13/crashes/id:000042,sig:11,src:005617,op:havoc,rep:4
for ((0funcM-^Nion;)); do :M->M-aM-RM->M->e&
d^?^@e :; 
done&M-wd\\\cr$\osM-ac\\M-ac\\^\\M-]\^\\M-]\\\cr\^\\M-]\\\c'M-^?^ZM-a^@^P\^M-\SM-]\\\\\^O\H\\\\M-EsM-ac\\M-ac\\^\\M-]\^\\M-]\\\cr\^\\M-]\\\c'M-^?^ZM-a^@^P\^M-\\M-]\\\\\^O\H\\\\\^O\H\

dualbus@debian:~/bash-fuzzing/bash-parser$ base64
output/13/crashes/id:000042,sig:11,src:005617,op:havoc,rep:4
Zm9yICgoMGZ1bmOOaW9uOykpOyBkbyA6vuHSvr5lJgpkfwBlIDo7IGRvbmUm92RcXFxjciRcb3Ph
Y1xc4WNcXF5cXN1cXlxc3VxcXGNyXF5cXN1cXFxjJ/8a4QAQXF7cU91cXFxcXA9cSFxcXFzFc+Fj
XFzhY1xcXlxc3VxeXFzdXFxcY3JcXlxc3VxcXGMn/xrhABBcXtxc3VxcXFxcD1xIXFxcXFwPXEhc

dualbus@debian:~/bash-fuzzing/bash-parser$ md5sum
output/13/crashes/id:000042,sig:11,src:005617,op:havoc,rep:4
d68c7d167e171a2f42b6af52490eb2c8
output/13/crashes/id:000042,sig:11,src:005617,op:havoc,rep:4

(gdb) r -n output/13/crashes/id:000042,sig:11,src:005617,op:havoc,rep:4
Starting program: /home/dualbus/src/gnu/bash/bash -n
output/13/crashes/id:000042,sig:11,src:005617,op:havoc,rep:4
output/13/crashes/id:000042,sig:11,src:005617,op:havoc,rep:4: line 1:
syntax error: arithmetic expression required
output/13/crashes/id:000042,sig:11,src:005617,op:havoc,rep:4: line 1:
syntax error: `((0func�ion;))'
^C
Program received signal SIGINT, Interrupt.
0x00007ffff76e8540 in __read_nocancel () at
../sysdeps/unix/syscall-template.S:84
84      ../sysdeps/unix/syscall-template.S: No such file or directory.
(gdb) bt
#0  0x00007ffff76e8540 in __read_nocancel () at
../sysdeps/unix/syscall-template.S:84
#1  0x00000000004e9393 in zread (fd=255, buf=0x829a08 "", len=171) at zread.c:56
#2  0x000000000048f8ec in b_fill_buffer (bp=0x828ec8) at input.c:499
#3  0x000000000048f76c in buffered_getchar () at input.c:563
#4  0x0000000000431a8b in yy_getc () at ./parse.y:1389
#5  0x0000000000432328 in shell_getc (remove_quoted_newline=1) at ./parse.y:2289
#6  0x0000000000430bb7 in read_token (command=0) at ./parse.y:3138
#7  0x000000000042c14e in yylex () at ./parse.y:2675
#8  0x0000000000428abe in yyparse () at y.tab.c:1827
#9  0x00000000004285ab in parse_command () at eval.c:294
#10 0x0000000000428392 in read_command () at eval.c:338
#11 0x0000000000428091 in reader_loop () at eval.c:140
#12 0x00000000004253bb in main (argc=3, argv=0x7fffffffe438,
env=0x7fffffffe458) at shell.c:794

Reply via email to