Segmentation fault in skip_to_delim / bash_directory_completion_hook

Eduardo Bustamante Mon, 15 May 2017 12:21:06 -0700

dualbus@debian:~/bash-fuzzing/read-readline$ base64 <
output/17/crashes/id:000288,sig:11,src:017460+007808,op:splice,rep:8
GxEWGS8YR94ZZB6QGzeQfzcbN45kAh6QGzeQGzcbNxF//y8YRwEaHB6QG+3t7e3t7efte3t7e94u
+pYBGxsbKegDVP8BGxlgBHt7e3t7e3sQlvwAcQ7/IuAMFBAbGxsrAKEBAJqampqSljyAFH8bGxlU
9tHXllMkLZYAFxAgUxP6GhveLwCV/aAQGxsb/3///yR7e3t7e94vFAAAEP8bKgCh8QJ/GvpAFJTt
lhADVP8bG28AGwIbUyQoeRv/GvpAFJQABAIbU+KVG1QE3iYUvxQbGwAC/VNbLyZUBBsbAAL9Uxsv
G1QEGxsbG1QAQAAAl+2WEBsbGwobVABAAACD8QJ///IbkCEk+iAgVP8bG28AGwIbUyQoeRv/GvpA
FJTtlhAbGxsK6ncAEfp8fGKAf2jZAzJkUVFRUf38AJYEGwIbXRsbHwCAFAAAohD8AJYEGwL9UxsV
GwAbAGRU//9//5YE3pYUGxob3i8UlhQaVGbnJof/G4AAAAB7e/oGA1T/GxtTJAp5G/8aDBSUAAR7
/3t7e/oMFJQABHt7e3u/3hEUlhQbGxsq/////4DtGxsbOBsfGxsE/+0F


Core was generated by `/home/dualbus/src/gnu/bash/bash -c read -e'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
106     ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00005581b1be61bf in skip_to_delim (
    string=0x5581b3758f87
"${{{{{\377d/\377\241\377@\361\372\224T\355y@\226\372\224\377$(o&\225\336\277\375ST[/",
start=128,
    delims=0x7fffcd21a32e "}", flags=257) at subst.c:1842
#2  0x00005581b1c15c31 in bash_directory_completion_hook
(dirname=0x5581b1ecf348 <dirname>) at bashline.c:3250
#3  0x00005581b1c64992 in rl_filename_completion_function (
    text=0x5581b3758d08
"T\374\377\226\220\355\355\355\355\355\347{{{{\355.\336\031/dސ\220\220\220\220\220\220\067\216\216\216\216\216\216\216\220\220\220\220\220\220\220\220",
'\177' <repeats 77 times>,
"\377//\375\240${{{{{\377d/\377\241\377@\361\372\224T\355y@\226\372\224\377$(o&\225\336\277\375ST[/&S",
state=0) at complete.c:2506
#4  0x00005581b1c6406c in rl_completion_matches (
    text=0x5581b3758d08
"T\374\377\226\220\355\355\355\355\355\347{{{{\355.\336\031/dސ\220\220\220\220\220\220\067\216\216\216\216\216\216\216\220\220\220\220\220\220\220\220",
'\177' <repeats 77 times>,
"\377//\375\240${{{{{\377d/\377\241\377@\361\372\224T\355y@\226\372\224\377$(o&\225\336\277\375ST[/&S",
entry_function=0x5581b1c6475b <rl_filename_completion_function>) at
complete.c:2183
#5  0x00005581b1c61ee6 in gen_completion_matches (
    text=0x5581b3758d08
"T\374\377\226\220\355\355\355\355\355\347{{{{\355.\336\031/dސ\220\220\220\220\220\220\067\216\216\216\216\216\216\216\220\220\220\220\220\220\220\220",
'\177' <repeats 77 times>,
"\377//\375\240${{{{{\377d/\377\241\377@\361\372\224T\355y@\226\372\224\377$(o&\225\336\277\375ST[/&S",
start=14, end=179, our_func=0x5581b1c6475b
<rl_filename_completion_function>,
    found_quote=2, quote_char=34) at complete.c:1226
#6  0x00005581b1c63aab in rl_complete_internal (what_to_do=9) at complete.c:2011
#7  0x00005581b1c60c51 in rl_complete (ignore=1, invoking_key=27) at
complete.c:438
#8  0x00005581b1c59a35 in _rl_dispatch_subseq (key=27,
map=0x5581b3728008, got_subseq=0) at readline.c:851
#9  0x00005581b1c5a162 in _rl_subseq_result (r=-2, map=0x5581b1ec7160
<emacs_meta_keymap>, key=27, got_subseq=0) at readline.c:1050
#10 0x00005581b1c59f12 in _rl_dispatch_subseq (key=27,
map=0x5581b1ec7160 <emacs_meta_keymap>, got_subseq=0) at
readline.c:986
#11 0x00005581b1c59efa in _rl_dispatch_subseq (key=27,
map=0x5581b1ec6140 <emacs_standard_keymap>, got_subseq=0) at
readline.c:985
#12 0x00005581b1c597ac in _rl_dispatch (key=7, map=0x5581b1ec6140
<emacs_standard_keymap>) at readline.c:797
#13 0x00005581b1c59434 in readline_internal_char () at readline.c:629
#14 0x00005581b1c5948c in readline_internal_charloop () at readline.c:656
#15 0x00005581b1c594b0 in readline_internal () at readline.c:670
#16 0x00005581b1c58ecd in readline (prompt=0x5581b1c9da2c "") at readline.c:374
#17 0x00005581b1c323fa in edit_line (p=0x5581b1c9da2c "", itext=0x0)
at ./read.def:1090
#18 0x00005581b1c3117c in read_builtin (list=0x0) at ./read.def:554
#19 0x00005581b1bc99c7 in execute_builtin (builtin=0x5581b1c30423
<read_builtin>, words=0x5581b36fa688, flags=64, subshell=0)
    at execute_cmd.c:4605
#20 0x00005581b1bca927 in execute_builtin_or_function
(words=0x5581b36fa688, builtin=0x5581b1c30423 <read_builtin>, var=0x0,
    redirects=0x0, fds_to_close=0x5581b36f9e08, flags=64) at execute_cmd.c:5103
#21 0x00005581b1bc92a9 in execute_simple_command
(simple_command=0x5581b36f9d88, pipe_in=-1, pipe_out=-1, async=0,
    fds_to_close=0x5581b36f9e08) at execute_cmd.c:4391
#22 0x00005581b1bc29df in execute_command_internal
(command=0x5581b36f9d48, asynchronous=0, pipe_in=-1, pipe_out=-1,
---Type <return> to continue, or q <return> to quit---
    fds_to_close=0x5581b36f9e08) at execute_cmd.c:811
#23 0x00005581b1c292f6 in parse_and_execute (string=0x5581b36e2268
"read -e", from_file=0x5581b1c86630 "-c", flags=4)
    at evalstring.c:430
#24 0x00005581b1ba9ce5 in run_one_command (command=0x7fffcd21c727
"read -e") at shell.c:1405
#25 0x00005581b1ba8e04 in main (argc=3, argv=0x7fffcd21af28,
env=0x7fffcd21af48) at shell.c:718

I think this is the fix:

dualbus@debian:~/src/gnu/bash$ git diff -- bashline.c
diff --git a/bashline.c b/bashline.c
index 7884416a..c92255d6 100644
--- a/bashline.c
+++ b/bashline.c
@@ -3247,7 +3247,7 @@ bash_directory_completion_hook (dirname)
          char delims[2];

          delims[0] = closer; delims[1] = 0;
-         p = skip_to_delim (t, t - local_dirname + 1, delims,
SD_NOJMP|SD_COMPLETE);
+         p = skip_to_delim (t, 1, delims, SD_NOJMP|SD_COMPLETE);
          if (t[p] != closer)
            should_expand_dirname = 0;
        }

Segmentation fault in skip_to_delim / bash_directory_completion_hook

Reply via email to