Bug#403467: bash: A smaller script

[Kingsley G. Morse Jr.]

Package: bash
Version: 4.0-7
Severity: normal


Hi,

I'm happy to report that I may have duplicated
this bug with version 4.0-7 and a much smaller
script.

I'll try to attach it to this bug report.

The error message I get is

    malloc: ../bash/subst.c:4198: assertion botched
    realloc: start and end chunk sizes differ
    Aborting...tmp/bug: line 283:  9468 Done 
          9469 Aborted                 (core dumped)

The thing I find worrisome about this bug is that, at
least for me, it doesn't stop the entire script.

It evidently only crashes a sub-shell. 

So unless users happen to look at log files for
something like "core dumped", we may have no clue
that our data is corrupted.

I humbly suggest running my smaller script with
something like valgrind, or with gdb with a
version of bash with debugging symbols.

Have fun!
Kingsley

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.25-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages bash depends on:
ii  base-files                4.0.4          Debian base system miscellaneous f
ii  dash                      0.5.5.1-3      POSIX-compliant shell
ii  debianutils               2.30           Miscellaneous utilities specific t
ii  libc6                     2.9-6          GNU C Library: Shared libraries
ii  libncurses5               5.7+20090314-1 shared libraries for terminal hand

Versions of packages bash recommends:
ii  bash-completion               20080705   programmable completion for the ba

Versions of packages bash suggests:
ii  bash-doc                      4.0-7      Documentation and examples for the

-- no debconf information

echo $SHELL

# The ten lines of code that crash Debian Linux's version 4.0-7 of bash are at 
the end of this file.
# I suspect they'd also crash version 3.2-4.
#
# Running this script gives me...
#
#     /bin/bash
#     
#     malloc: ../bash/subst.c:4198: assertion botched
#     realloc: start and end chunk sizes differ
#     Aborting...tmp/bug: line 262:  5253 Done                    echo "$v"
#           5254 Aborted                 (core dumped) | while read d; do
#         while read c; do
#             :;
#         done < <(echo a);
#     done
#
#
#  This looks similar to 
#
#       http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=417946
#       http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=403467


read -d '' v <<EOF
010.4 
074.67 
37.33 
3616 
40.82 
2099 
023.7 
000382 
000382 
205.01 
205.01 
0866 
0155.1 
0623 
111.58 
3000 
0960 
240 
240 
10.4 
104 
9.4 
94 
3900 
44.031 
2050 
23.144 
7 
7 
7 
7 
400
400
395
395
390
390
385
385
380
380
375
375
370
370
365
365
360
360
355
355
350
350
345
345
340
340
335
335
330
330
325
325
320
320
315
315
310
310
305
305
300
300
295
295
290
290
285
285
280
280
275
275
270
270
265
265
260
260
255
255
250
250
245
245
240
240
235
235
230
180
175
175
170
170
165
165
160
160
155
155
150
150
145
145
140
140
135
135
130
130
125
125
120
120
115
115
110
110
105
105
100
100
95
95
90
90
85
85
80
80
75
75
70
70
65
65
60
60
55
55
50
50
45
45
40
40
35
35
30
30
25
25
20
20
15
15
10
10
5
5
0
0
5
5
370
365
365
360
360
355
355
350
350
345
345
340
340
335
335
330
330
325
325
320
320
315
315
310
310
305
305
300
300
295
295
290
290
285
285
280
280
275
275
270
270
265
265
260
260
255
255
250
250
245
245
240
240
235
235
230
130
125
110
110
105
105
200
200
13189 
682.1 
60.3 
554.3 
0049 
2498.899 
025.321 
85.5436 
36.8847 
450.9854 
08717.988 
87.5753 
77.4046 
63.1502 
13.6946 
EOF

f(){
    echo "$v" | 
        while read d ; do                                                       
                 
            while read c ; do                                                   
           
                :
            done < <(echo a)
        done
}

f b