[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Segfault assigning to nameref with bad array subscript
From: |
Piotr Grzybowski |
Subject: |
Re: Segfault assigning to nameref with bad array subscript |
Date: |
Wed, 27 Apr 2016 09:50:37 +0200 |
Hi Grisha,
confirmed.
I think this one fixes it:
diff --git a/variables.c b/variables.c
index 69ed170..9eeda46 100644
--- a/variables.c
+++ b/variables.c
@@ -2636,9 +2636,14 @@ bind_variable_internal (name, value, table, hflags,
aflags)
#if defined (ARRAY_VARS)
/* declare -n foo=x[2] */
if (valid_array_reference (newval, 0))
+ {
/* XXX - should it be aflags? */
entry = assign_array_element (newval, make_variable_value (entry,
value, 0), aflags);
- else
+ if (entry == NULL)
+ {
+ return NULL;
+ }
+ } else
#endif
{
entry = make_new_variable (newval, table);
cheers,
pg
On 27 Apr 2016, at 08:45, Grisha Levit wrote:
> Any of the following will crash bash:
>
> declare -n ref=a[*]; ref=
> declare -n ref=a[@]; ref=
> declare -n ref=a[-1]; a=(); ref=
>
> declare -A A; declare -n ref='A[$unset]'; ref=
>
> They all produce "bad array subscript" errors so could be caught.
>
> ==60597== Invalid read of size 4
> ==60597== at 0x100020BEE: bind_variable_internal (variables.c:2717)
> ==60597== by 0x1000392E3: do_assignment_internal (subst.c:3121)
> ==60597== by 0x10003F8D4: expand_word_list_internal (subst.c:3161)
> ==60597== by 0x100019094: execute_command_internal (execute_cmd.c:4105)
> ==60597== by 0x100017BF6: execute_command_internal (execute_cmd.c:2579)
> ==60597== by 0x10006A82E: parse_and_execute (evalstring.c:417)
> ==60597== by 0x1000032E7: run_one_command (in /Users/levit/utils/bin/bash)
> ==60597== by 0x100002502: main (shell.c:724)
> ==60597== Address 0x28 is not stack'd, malloc'd or (recently) free'd