Segmentation fault in expassign when PS1='$[U[0S]+=]'

Mon, 15 May 2017 12:59:12 -0700 

Starting program: /home/dualbus/src/gnu/bash/bash
bash-4.4$ PS1='$[U[0S]+=]'
bash: 0S: value too great for base (error token is "0S")
bash: : syntax error in expression (error token is "U")
$[U[0S]+=]
bash: 0S: value too great for base (error token is "0S")
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106     ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00005555555b1ff7 in expassign () at expr.c:505
#2  0x00005555555b1f4b in expcomma () at expr.c:467
#3  0x00005555555b1ec2 in subexpr (expr=0x55555596a148 "U[0S]+=") at expr.c:449
#4  0x00005555555b1d51 in evalexp (expr=0x55555596a148 "U[0S]+=",
flags=1, validp=0x7fffffffbff0) at expr.c:414
#5  0x00005555555d0a73 in param_expand (string=0x55555596a0a8
"$[U[0S]+=]", sindex=0x7fffffffc0e8, quoted=1, expanded_something=0x0,
    contains_dollar_at=0x7fffffffc0dc,
quoted_dollar_at_p=0x7fffffffc0e4, had_quoted_null_p=0x7fffffffc0e0,
pflags=0) at subst.c:9159
#6  0x00005555555d1c27 in expand_word_internal (word=0x7fffffffc1f0,
quoted=1, isexp=0, contains_dollar_at=0x0,
    expanded_something=0x0) at subst.c:9655
#7  0x00005555555c4c79 in expand_prompt_string (string=0x55555596a188
"$[U[0S]+=]", quoted=1, wflags=0) at subst.c:3785
#8  0x00005555555934b7 in decode_prompt_string (string=0x55555596a393
"\v") at ./parse.y:5961
#9  0x0000555555592479 in prompt_again () at ./parse.y:5472
#10 0x000055555558ab70 in yylex () at ./parse.y:2677
#11 0x0000555555585e34 in yyparse () at y.tab.c:1821
#12 0x0000555555585772 in parse_command () at eval.c:294
#13 0x0000555555585858 in read_command () at eval.c:338
#14 0x00005555555853b1 in reader_loop () at eval.c:140
#15 0x0000555555582f71 in main (argc=1, argv=0x7fffffffe478,
env=0x7fffffffe488) at shell.c:794

(gdb) frame 1
#1  0x00005555555b1ff7 in expassign () at expr.c:505
505           lhs = savestring (tokstr);
(gdb) p tokstr
$5 = 0x0

I still don't understand why this isn't triggered by:

bash-4.4$ "$[U[0S]+=]"
bash: 0S: value too great for base (error token is "0S")

It seems like the array index expression causes a longjmp in the
second case, so it stops evaluating.

Found by fuzzing.

I think this might be similar to
https://lists.gnu.org/archive/html/bug-bash/2017-05/msg00046.html
(i.e. ``Segmentation fault in evalerror when xtrace and
PS4='$[T[$]]'``)

I think the fix *may* be something like:

dualbus@debian:~/src/gnu/bash$ git diff -- expr.c
diff --git a/expr.c b/expr.c
index 1770cc00..d6c50571 100644
--- a/expr.c
+++ b/expr.c
@@ -494,6 +494,8 @@ expassign ()

       if (lasttok != STR)
        evalerror (_("attempted assignment to non-variable"));
+      if (!tokstr)
+       evalerror (_("XXX"));

       if (special)
        {

But I don't know.

Reply via email to