On Thu, Oct 26, 2017 at 11:07:57PM +0200, Jakub Wilk wrote:
[...]
> Bash Version: 20171020 snapshot
>
> Apparently an out-of-bounds read can happen in parse_comsub() when checking
> script sytnax. To reproduce, rebuild bash with AddressSanitizer enabled and
> run:
>
> $ printf
> '$(00\177%012d\1%d00\177%090d\177%028d(%0267d\177%010d<<-\276%019d\n\n' |
> bash -n
I can reproduce this error too. It seems `ret' is missing a NUL terminator, so
`STREQN' reads past the allocated buffer.
I'm not sure if this is the right fix, but at least it makes the issue go away
for me:
dualbus@ubuntu:~/src/gnu/build-bash-devel$ CFLAGS='-g -O0 -fsanitize=address'
../bash/configure --without-bash-malloc && make -j8
[...]
dualbus@ubuntu:~/src/gnu/build-bash-devel$ printf
'$(00\177%012d\1%d00\177%090d\177%028d(%0267d\177%010d<<-\276%019d\n\n' |
./bash -n
./bash: line 1: unexpected EOF while looking for matching `)'
./bash: line 3: syntax error: unexpected end of file
diff --git a/parse.y b/parse.y
index 623648c6..67d9b3c3 100644
--- a/parse.y
+++ b/parse.y
@@ -3838,6 +3838,7 @@ eof_error:
tind = lex_firstind;
while ((tflags & LEX_STRIPDOC) && ret[tind] == '\t')
tind++;
+ ret[retsize - 1] = '\0';
if (STREQN (ret + tind, heredelim, hdlen))
{
tflags &= ~(LEX_STRIPDOC|LEX_INHEREDOC|LEX_QUOTEDDOC);
