[packages/bash.git] / bash-4.2-cve-2014-7169-2.patch

--- ../bash-4.2-orig/parse.y	2014-09-25 13:07:59.218209276 +0200
+++ parse.y	2014-09-25 15:26:52.813159810 +0200
@@ -264,9 +264,21 @@
 
 /* Variables to manage the task of reading here documents, because we need to
    defer the reading until after a complete command has been collected. */
-static REDIRECT *redir_stack[10];
+static REDIRECT **redir_stack;
 int need_here_doc;
 
+/* Pushes REDIR onto redir_stack, resizing it as needed. */
+static void
+push_redir_stack (REDIRECT *redir)
+{
+  /* Guard against oveflow. */
+  if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack))
+    abort ();
+  redir_stack = xrealloc (redir_stack,
+			  (need_here_doc + 1) * sizeof (*redir_stack));
+  redir_stack[need_here_doc++] = redir;
+}
+
 /* Where shell input comes from.  History expansion is performed on each
    line when the shell is interactive. */
 static char *shell_input_line = (char *)NULL;
@@ -519,42 +531,42 @@
 			  source.dest = 0;
 			  redir.filename = $2;
 			  $$ = make_redirection (source, r_reading_until, redir, 0);
-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
 			}
 	|	NUMBER LESS_LESS WORD
 			{
 			  source.dest = $1;
 			  redir.filename = $3;
 			  $$ = make_redirection (source, r_reading_until, redir, 0);
-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
 			}
 	|	REDIR_WORD LESS_LESS WORD
 			{
 			  source.filename = $1;
 			  redir.filename = $3;
 			  $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
 			}
 	|	LESS_LESS_MINUS WORD
 			{
 			  source.dest = 0;
 			  redir.filename = $2;
 			  $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
 			}
 	|	NUMBER LESS_LESS_MINUS WORD
 			{
 			  source.dest = $1;
 			  redir.filename = $3;
 			  $$ = make_redirection (source, r_deblank_reading_until, redir, 0);
-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
 			}
 	|	REDIR_WORD  LESS_LESS_MINUS WORD
 			{
 			  source.filename = $1;
 			  redir.filename = $3;
 			  $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
 			}
 	|	LESS_LESS_LESS WORD
 			{
@@ -4757,7 +4769,7 @@
     case CASE:
     case SELECT:
     case FOR:
-      if (word_top < MAX_CASE_NEST)
+      if (word_top + 1 < MAX_CASE_NEST)
 	word_top++;
       word_lineno[word_top] = line_number;
       break;
Commit	Line	Data
d6f116f1 AM	1	--- ../bash-4.2-orig/parse.y 2014-09-25 13:07:59.218209276 +0200
	2	+++ parse.y 2014-09-25 15:26:52.813159810 +0200
	3	@@ -264,9 +264,21 @@
	4
	5	/* Variables to manage the task of reading here documents, because we need to
	6	defer the reading until after a complete command has been collected. */
	7	-static REDIRECT *redir_stack[10];
	8	+static REDIRECT **redir_stack;
	9	int need_here_doc;
	10
	11	+/* Pushes REDIR onto redir_stack, resizing it as needed. */
	12	+static void
	13	+push_redir_stack (REDIRECT *redir)
	14	+{
	15	+ /* Guard against oveflow. */
	16	+ if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack))
	17	+ abort ();
	18	+ redir_stack = xrealloc (redir_stack,
	19	+ (need_here_doc + 1) * sizeof (*redir_stack));
	20	+ redir_stack[need_here_doc++] = redir;
	21	+}
	22	+
	23	/* Where shell input comes from. History expansion is performed on each
	24	line when the shell is interactive. */
	25	static char shell_input_line = (char )NULL;
	26	@@ -519,42 +531,42 @@
	27	source.dest = 0;
	28	redir.filename = $2;
	29	$$ = make_redirection (source, r_reading_until, redir, 0);
	30	- redir_stack[need_here_doc++] = $$;
	31	+ push_redir_stack ($$);
	32	}
	33	\| NUMBER LESS_LESS WORD
	34	{
	35	source.dest = $1;
	36	redir.filename = $3;
	37	$$ = make_redirection (source, r_reading_until, redir, 0);
	38	- redir_stack[need_here_doc++] = $$;
	39	+ push_redir_stack ($$);
	40	}
	41	\| REDIR_WORD LESS_LESS WORD
	42	{
	43	source.filename = $1;
	44	redir.filename = $3;
	45	$$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN);
	46	- redir_stack[need_here_doc++] = $$;
	47	+ push_redir_stack ($$);
	48	}
	49	\| LESS_LESS_MINUS WORD
	50	{
	51	source.dest = 0;
	52	redir.filename = $2;
	53	$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
	54	- redir_stack[need_here_doc++] = $$;
	55	+ push_redir_stack ($$);
	56	}
	57	\| NUMBER LESS_LESS_MINUS WORD
	58	{
	59	source.dest = $1;
	60	redir.filename = $3;
	61	$$ = make_redirection (source, r_deblank_reading_until, redir, 0);
	62	- redir_stack[need_here_doc++] = $$;
	63	+ push_redir_stack ($$);
	64	}
65	\| REDIR_WORD LESS_LESS_MINUS WORD
66	{
67	source.filename = $1;
68	redir.filename = $3;
69	$$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN);
70	- redir_stack[need_here_doc++] = $$;
71	+ push_redir_stack ($$);
72	}
73	\| LESS_LESS_LESS WORD
74	{
75	@@ -4757,7 +4769,7 @@
76	case CASE:
77	case SELECT:
78	case FOR:
79	- if (word_top < MAX_CASE_NEST)
80	+ if (word_top + 1 < MAX_CASE_NEST)
81	word_top++;
82	word_lineno[word_top] = line_number;
83	break;