Path: csiph.com!goblin2!goblin1!goblin.stu.neva.ru!usenet.stanford.edu!not-for-mail
From: Chris Schoenberg <chris@cr0ssbyte.com>
Newsgroups: gnu.bash.bug
Subject: Re: v4.4 segfault in 'decode_prompt_string' when processing special parameter
Date: Sat, 21 Jul 2018 17:11:53 -0500
Lines: 13
Sender: chris@cr0ssbyte.com
Approved: bug-bash@gnu.org
Message-ID: <mailman.3997.1532211135.1292.bug-bash@gnu.org>
References: <CAAnqJ08xXw8Ezq4mn_FGojcx6vi26d001foWFncUJt809XiS_w@mail.gmail.com>
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Trace: usenet.stanford.edu 1532211135 14525 208.118.235.17 (21 Jul 2018 22:12:15 GMT)
X-Complaints-To: action@cs.stanford.edu
To: bug-bash@gnu.org
Envelope-to: bug-bash@gnu.org
DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=cr0ssbyte.com; q=dns/txt; s=smtp; t=1532211126; h=Content-Type: To: Subject: Message-ID: Date: From: In-Reply-To: References: MIME-Version: Sender; bh=pWljqyCje7pE/yHJERqsMplf8kS76wy5ldCz+bEx3+A=; b=FSmy/a6LBNCiWvmM1NByiLplNwXP3RaCTMMuRCVXbmFrNun7fvW/jKEJoH2FHYD+fhwKYovW yCQOUomTkcMibzeCPHcQTYn62Pe9tPOkPOif4wk5i0BUIB6ZG3mmsBB+1LeujTR5pQEzjvrj ZMvCMzMbzxn4J5iGreYnWIbyupc=
X-Mailgun-Sending-Ip: 184.173.153.201
X-Mailgun-Sid: WyI0MmQ4OCIsICJidWctYmFzaEBnbnUub3JnIiwgIjVjMzYyNSJd
X-Gm-Message-State: AOUpUlGOhY91oq9/sNYAWLqbiQpqgVO+/Ubon0dn6csCQkbRTQBosomN wm4WUXjhpXUJtF0PzaRl1TqAQq6/8DSgf29I+2Y=
X-Google-Smtp-Source: AAOMgpfQYHLn7s9REsFpYWMqxQ1VKbvuOVkCe4vt4KkdcVGXB048cIsGKJb5L29NKimvaYz3QnjnpiV0VvRw/AVRKl4=
X-Received: by 2002:a19:9646:: with SMTP id y67-v6mr4009344lfd.130.1532211124181; Sat, 21 Jul 2018 15:12:04 -0700 (PDT)
In-Reply-To: <CAAnqJ08xXw8Ezq4mn_FGojcx6vi26d001foWFncUJt809XiS_w@mail.gmail.com>
X-Gmail-Original-Message-ID: <CAAnqJ09+oJVkK3RFd+tDsnJeQjgHs0V=Y2cGcweZmHVtn-YWOw@mail.gmail.com>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy]
X-Received-From: 184.173.153.201
X-Content-Filtered-By: Mailman/MimeDel 2.1.21
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-bash/>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
Xref: csiph.com gnu.bash.bug:14382

The payload got filtered, so here it is again (substitute the actual
character for [at]):

$\{_[at]P};${_[at]P}

On Sat, Jul 21, 2018, 1:47 PM Chris Schoenberg wrote:

> This only works in 4.4; earlier versions throw a 'bad substitution' error. It
> causes an infinite loop of calls between 'expand_prompt_string' and 'decode_prompt_string',
> where calls to 'xmalloc' exhaust the heap:
>
...
>