summaryrefslogtreecommitdiffstats
path: root/meta/recipes-extended/bash/bash/CVE-2016-9401.patch
blob: 28c927743cd167c4b66e4c8aa92b2bd1562e3f71 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
From fa741771ed47b30547be63b5b5dbfb51977aca12 Mon Sep 17 00:00:00 2001
From: Chet Ramey <chet.ramey@case.edu>
Date: Fri, 20 Jan 2017 11:47:31 -0500
Subject: [PATCH] Bash-4.4 patch 6

Bug-Reference-URL:
https://lists.gnu.org/archive/html/bug-bash/2016-11/msg00116.html

Reference to upstream patch:
https://ftp.gnu.org/pub/gnu/bash/bash-4.4-patches/bash44-006

Bug-Description:
Out-of-range negative offsets to popd can cause the shell to crash attempting
to free an invalid memory block.

Upstream-Status: Backport
CVE: CVE-2016-9401
Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
 builtins/pushd.def | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/builtins/pushd.def b/builtins/pushd.def
index 9c6548f..8a13bae 100644
--- a/builtins/pushd.def
+++ b/builtins/pushd.def
@@ -359,7 +359,7 @@ popd_builtin (list)
 	break;
     }
 
-  if (which > directory_list_offset || (directory_list_offset == 0 && which == 0))
+  if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && which == 0))
     {
       pushd_error (directory_list_offset, which_word ? which_word : "");
       return (EXECUTION_FAILURE);
@@ -381,6 +381,11 @@ popd_builtin (list)
 	 remove that directory from the list and shift the remainder
 	 of the list into place. */
       i = (direction == '+') ? directory_list_offset - which : which;
+      if (i < 0 || i > directory_list_offset)
+	{
+	  pushd_error (directory_list_offset, which_word ? which_word : "");
+	  return (EXECUTION_FAILURE);
+	}
       free (pushd_directory_list[i]);
       directory_list_offset--;
 
-- 
1.9.1