Re: Segfault assigning to nameref with bad array subscript

[Piotr Grzybowski]

Hi Grisha,

 confirmed.
 I think this one fixes it:

diff --git a/variables.c b/variables.c
index 69ed170..9eeda46 100644
--- a/variables.c
+++ b/variables.c
@@ -2636,9 +2636,14 @@ bind_variable_internal (name, value, table, hflags, 
aflags)
 #if defined (ARRAY_VARS)
       /* declare -n foo=x[2] */
       if (valid_array_reference (newval, 0))
+        {
         /* XXX - should it be aflags? */
        entry = assign_array_element (newval, make_variable_value (entry, 
value, 0), aflags);
-      else
+         if (entry == NULL)
+           {
+             return NULL;
+           }
+        } else
 #endif
       {
       entry = make_new_variable (newval, table);


cheers,
pg


On 27 Apr 2016, at 08:45, Grisha Levit wrote:

> Any of the following will crash bash:
> 
> declare -n ref=a[*]; ref=
> declare -n ref=a[@]; ref=
> declare -n ref=a[-1]; a=(); ref=
> 
> declare -A A; declare -n ref='A[$unset]'; ref=
> 
> They all produce "bad array subscript" errors so could be caught.
> 
> ==60597== Invalid read of size 4
> ==60597==    at 0x100020BEE: bind_variable_internal (variables.c:2717)
> ==60597==    by 0x1000392E3: do_assignment_internal (subst.c:3121)
> ==60597==    by 0x10003F8D4: expand_word_list_internal (subst.c:3161)
> ==60597==    by 0x100019094: execute_command_internal (execute_cmd.c:4105)
> ==60597==    by 0x100017BF6: execute_command_internal (execute_cmd.c:2579)
> ==60597==    by 0x10006A82E: parse_and_execute (evalstring.c:417)
> ==60597==    by 0x1000032E7: run_one_command (in /Users/levit/utils/bin/bash)
> ==60597==    by 0x100002502: main (shell.c:724)
> ==60597==  Address 0x28 is not stack'd, malloc'd or (recently) free'd