On 6/16/17 11:10 AM, Eduardo A. Bustamante López wrote: > On Thu, Jun 15, 2017 at 09:42:41AM -0500, Eduardo Bustamante wrote: >> Found by fuzzing `read -e' with AFL. The stacktrace reported by Address >> Sanitizer is followed by the base64 encoded crashing input. >> >> >> ==11018==ERROR: AddressSanitizer: heap-buffer-overflow on address >> 0x60700000ccc0 at pc 0x559bb60f1be7 bp 0x7ffc36ec8710 sp 0x7ffc36ec8708 >> READ of size 8 at 0x60700000ccc0 thread T0 >> #0 0x559bb60f1be6 in _rl_copy_to_kill_ring >> (/home/dualbus/src/gnu/bash-build/bash+0x23cbe6) > > Easy fix. When `rl_kill_ring_length == rl_max_kills (10)', all of the entries > in the kill ring are shifted. The loop has an off-by-one error though.
This is one possible fix. There is also the asymmetry in the xrealloc below. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRU c...@case.edu http://cnswww.cns.cwru.edu/~chet/