Path: csiph.com!optima2.xanadu-bbs.net!xanadu-bbs.net!news.glorb.com!usenet.stanford.edu!not-for-mail
From: Dan Douglas <ormaaj@gmail.com>
Newsgroups: gnu.bash.bug
Subject: Re: Integer Overflow in braces
Date: Tue, 18 Aug 2015 08:12:39 -0500
Lines: 33
Approved: bug-bash@gnu.org
Message-ID: <mailman.8517.1439903573.904.bug-bash@gnu.org>
References: <CABq52TYThGj9OtBn3xTti5scmA=WdnS7ULw3G6GMayPK6WR0+w@mail.gmail.com> <5768562.ErHXazUaoC@smorgbox> <20150818130433.GF4309@eeg.ccf.org>
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7Bit
X-Trace: usenet.stanford.edu 1439903573 9736 208.118.235.17 (18 Aug 2015 13:12:53 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: Greg Wooledge <wooledg@eeg.ccf.org>, Pasha K <pashakravtsov@gmail.com>
To: bug-bash@gnu.org
Envelope-to: bug-bash@gnu.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id:user-agent:in-reply-to :references:mime-version:content-transfer-encoding:content-type; bh=0y2aUqke1dXdybtH7ewyzeZvsYEAtrOkkAm7g3v7A9U=; b=QEqBTl9Edf9vDIh5IYW6fDP5QlfX8ZIsIrIB4EtSecUr+Zi6ei6FIk5uRPyX1pq1vh 2oF9iAkRfXxYKWMj1Q6jvc6uE493bBEVe2rGQ8BYDu4Dz4nhqew0OxPg2qREzNrJ/nJm 8W75yGJM1iJObh9RltVe3JYMM9ZS8wSVVAjUtx/t3NX3T1k2UBOLIiL52VtvARNjO9Zo JyY7Ge9NCF52AUIC0eaVitgqKJhnqpLFT9sj4KEG4MNSk+u0WMhQ3+gj6uJ1N0WR+Q03 RcGlAaCWudClmyVQd2rcHbNpAGC40MybBzNJQR62ZmsoqaNnycWXX1pQCyBHCzhsj5H8 gXoA==
X-Received: by 10.107.138.216 with SMTP id c85mr6743762ioj.187.1439903561143; Tue, 18 Aug 2015 06:12:41 -0700 (PDT)
User-Agent: KMail/5.0.41 alpha1 (Linux/4.2.0-rc7; KDE/5.14.0; x86_64; ; )
In-Reply-To: <20150818130433.GF4309@eeg.ccf.org>
X-detected-operating-system: by eggs.gnu.org: Error: Malformed IPv6 address (bad octet value).
X-Received-From: 2607:f8b0:4001:c06::229
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-bash>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
Xref: csiph.com gnu.bash.bug:11364

On Tuesday, August 18, 2015 09:04:33 AM Greg Wooledge wrote:
> On Tue, Aug 18, 2015 at 07:54:48AM -0500, Dan Douglas wrote:
> > IMHO the issue of whether the integer is allowed to overflow is separate 
from 
> > the question of whether the resulting expansion is "too big". Code that 
does 
> > an `eval "blah{0..$n}"` is reasonably common and not necessarily stupid. 
> 
> Yes, that's fine.  But I don't actually understand what kind of overflow
> Pasha K was actually trying to test for.  He/she mentioned "nelem", which
> only appears in two places in the bash source code: once in indexed
> arrays, and once in associative arrays.  But there were no arrays in
> the script being executed.
> 
> {0..9999999999999999} should produce an error because it runs out of
> memory.  So I would expect to see a malloc failure, or something similar.
> If Pasha is saying that an integer overflow occurs before the malloc
> failure, then that may or may not be interesting to Chet.  If it crashes
> bash, then it's not interesting to me, because the inevitable malloc
> failure would have crashed it if the overflow didn't.  It only becomes
> interesting to me if the integer overflow causes some weird behavior to
> happen BEFORE bash crashes.
> 

Actually I think I spoke too soon. There's already some considerable logic in 
braces.c to check for overflow (e.g. around braces.c:390 shortly after 
declaration of the int). Looks like there were some changes in this code last 
year to "beef it up" a bit. (see commit 
67440bc5959a639359bf1dd7d655915bf6e9e7f1). I suspect this is probably fixed in 
devel.
-- 
Dan Douglas