On 6/16/17 10:43 AM, Eduardo A. Bustamante López wrote:
> On Thu, Jun 15, 2017 at 09:39:09AM -0500, Eduardo Bustamante wrote:
>> Found by fuzzing `read -e' with AFL. The stacktrace reported by Address
>> Sanitizer is followed by the base64 encoded crashing input.
>>
>>
>> ==472==ERROR: AddressSanitizer: heap-buffer-overflow on address
>> 0x61100000977f at pc 0x562befba4a14 bp 0x7ffdee172bb0 sp 0x7ffdee172ba8
>> READ of size 1 at 0x61100000977f thread T0
>> #0 0x562befba4a13 in rl_tilde_expand
>> (/home/dualbus/src/gnu/bash-build/bash+0x23ba13)
>
> This one looks like an easy fix. When `start = 0', the loop ends up
> dereferencing `rl_line_buffer[-1]'. Changing the order of the test does the
> trick.
This is indeed the right fix.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU c...@case.edu http://cnswww.cns.cwru.edu/~chet/
