BASH PATCH REPORT ================= Bash-Release: 2.05b Patch-ID: bash205b-011 Bug-Reported-by: Florian Weimer Bug-Reference-ID: Bug-Reference-URL: Bug-Description: There are two local buffer overflows in parse.y that can cause the shell to dump core when given many here-documents attached to a single command or many nested loops. Patch: *** ../bash-2.05b.10/parse.y 2014-09-25 16:46:51.000000000 -0400 --- parse.y 2014-09-30 20:11:38.000000000 -0400 *************** *** 162,165 **** --- 162,168 ---- static int reserved_word_acceptable __P((int)); static int yylex __P((void)); + + static void push_heredoc __P((REDIRECT *)); + static char *mk_alexpansion __P((char *)); static int alias_expand_token __P((char *)); static int time_command_acceptable __P((void)); *************** *** 249,253 **** /* Variables to manage the task of reading here documents, because we need to defer the reading until after a complete command has been collected. */ ! static REDIRECT *redir_stack[10]; int need_here_doc; --- 252,258 ---- /* Variables to manage the task of reading here documents, because we need to defer the reading until after a complete command has been collected. */ ! #define HEREDOC_MAX 16 ! ! static REDIRECT *redir_stack[HEREDOC_MAX]; int need_here_doc; *************** *** 405,409 **** redir.filename = $2; $$ = make_redirection (0, r_reading_until, redir); ! redir_stack[need_here_doc++] = $$; } | NUMBER LESS_LESS WORD --- 410,414 ---- redir.filename = $2; $$ = make_redirection (0, r_reading_until, redir); ! push_heredoc ($$); } | NUMBER LESS_LESS WORD *************** *** 411,415 **** redir.filename = $3; $$ = make_redirection ($1, r_reading_until, redir); ! redir_stack[need_here_doc++] = $$; } | LESS_LESS_LESS WORD --- 416,420 ---- redir.filename = $3; $$ = make_redirection ($1, r_reading_until, redir); ! push_heredoc ($$); } | LESS_LESS_LESS WORD *************** *** 468,472 **** $$ = make_redirection (0, r_deblank_reading_until, redir); ! redir_stack[need_here_doc++] = $$; } | NUMBER LESS_LESS_MINUS WORD --- 473,477 ---- $$ = make_redirection (0, r_deblank_reading_until, redir); ! push_heredoc ($$); } | NUMBER LESS_LESS_MINUS WORD *************** *** 475,479 **** $$ = make_redirection ($1, r_deblank_reading_until, redir); ! redir_stack[need_here_doc++] = $$; } | GREATER_AND '-' --- 480,484 ---- $$ = make_redirection ($1, r_deblank_reading_until, redir); ! push_heredoc ($$); } | GREATER_AND '-' *************** *** 2090,2093 **** --- 2095,2113 ---- static int esacs_needed_count; + static void + push_heredoc (r) + REDIRECT *r; + { + if (need_here_doc >= HEREDOC_MAX) + { + last_command_exit_value = EX_BADUSAGE; + need_here_doc = 0; + report_syntax_error ("maximum here-document count exceeded"); + reset_parser (); + exit_shell (last_command_exit_value); + } + redir_stack[need_here_doc++] = r; + } + void gather_here_documents ()