[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Crash when completing a quoted string ending with '\'
From: |
benoit . boissinot |
Subject: |
Crash when completing a quoted string ending with '\' |
Date: |
Thu, 17 Dec 2009 02:28:37 +0100 (CET) |
Configuration Information [Automatically generated, do not change]:
Machine: i486
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='i486'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='i486-pc-linux-gnu'
-DCONF_VENDOR='pc' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL
-DHAVE_CONFIG_H -I. -I../bash -I../bash/include -I../bash/lib -g -O2 -Wall
uname output: Linux pirzuine 2.6.31-16-generic #52-Ubuntu SMP Thu Dec 3
22:00:22 UTC 2009 i686 GNU/Linux
Machine Type: i486-pc-linux-gnu
Bash Version: 4.0
Patch Level: 33
Release Status: release
Description:
Bash crashes when trying to complete a quoted string ending with '\'
Repeat-By:
Launch bash, type:
"\
and press TAB
See bash crash:
$ "\
malloc: unknown:0: assertion botched
free: start and end chunk sizes differ
last command: XXXXX
Aborting...Aborted
Fix:
The problem is in bash_dequote_filename(). If the string ends with '\',
then a spurious write of '\0' will happen after the end of the
allocated area. This will overwrite the guard and make the free() fail.
Following patch fixes it:
-- bash/bashline.c 2009-12-17 02:13:36.000000000 +0100
+++ /tmp/bashline.c 2009-12-17 02:12:10.000000000 +0100
@@ -3223,9 +3223,10 @@
else if (quoted == '"' && ((sh_syntaxtab[p[1]] & CBSDQUOTE) == 0))
*r++ = *p;
- *r++ = *++p;
- if (*p == '\0')
+ if (*++p == '\0')
break;
+
+ *r++ = *p;
continue;
}
/* Close quote. */
- Crash when completing a quoted string ending with '\',
benoit . boissinot <=