On 8/14/25 11:41 PM, Nathan Mills wrote:
Bash Version: 5.2 Patch Level: 37 Release Status: releaseDescription: [Detailed description of the problem, suggestion, or complaint.] Bash 5.3 crashes on a syntactically invalid IFS array. Setting the IFS variable to a syntactically invalid array causes Bash to free the old value of IFS (in convert_var_to_array), leaving `ifs_value` as a dangling pointer. When Bash later tries to use ifs_value in expand_word_internal, AddressSanitizer immediately complains about a use-after-free.
Thanks for the detailed report. The array assignment is syntactically
valid -- there's no assignment error there -- the question is what
semantics should apply to the result.
When we change the type of a variable to an indexed or associative array,
that code should call whatever function a potential special variable
needs. That takes care of any pointer aliasing problems.
The semantic issue is different. Should the shell simply ignore an attempt
to make IFS into an array, and treat it as if IFS were unset, or should it
use IFS[0] as the set of delimiter characters?
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU c...@case.edu http://tiswww.cwru.edu/~chet/
OpenPGP_signature.asc
Description: OpenPGP digital signature
