Path: csiph.com!optima2.xanadu-bbs.net!xanadu-bbs.net!news.glorb.com!usenet.stanford.edu!not-for-mail
From: Chet Ramey <chet.ramey@case.edu>
Newsgroups: gnu.bash.bug
Subject: Re: Integer Overflow in braces
Date: Tue, 18 Aug 2015 10:37:44 -0400
Lines: 20
Approved: bug-bash@gnu.org
Message-ID: <mailman.8534.1439908681.904.bug-bash@gnu.org>
References: <CABq52TYThGj9OtBn3xTti5scmA=WdnS7ULw3G6GMayPK6WR0+w@mail.gmail.com> <5768562.ErHXazUaoC@smorgbox> <20150818130433.GF4309@eeg.ccf.org> <1558903.maOEY5AuEr@smorgbox>
Reply-To: chet.ramey@case.edu
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Trace: usenet.stanford.edu 1439908682 13128 208.118.235.17 (18 Aug 2015 14:38:02 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: Greg Wooledge <wooledg@eeg.ccf.org>, Pasha K <pashakravtsov@gmail.com>, chet.ramey@case.edu
To: Dan Douglas <ormaaj@gmail.com>, bug-bash@gnu.org
Envelope-to: bug-bash@gnu.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.0.1
In-Reply-To: <1558903.maOEY5AuEr@smorgbox>
X-Junkmail-Status: score=10/50, host=mpv6.cwru.edu
X-Junkmail-Whitelist: YES (by domain whitelist at mpv2.tis.cwru.edu)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.4.x-2.6.x [generic]
X-Received-From: 129.22.105.37
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-bash>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
Xref: csiph.com gnu.bash.bug:11371

On 8/18/15 9:12 AM, Dan Douglas wrote:

> Actually I think I spoke too soon. There's already some considerable logic in 
> braces.c to check for overflow (e.g. around braces.c:390 shortly after 
> declaration of the int). Looks like there were some changes in this code last 
> year to "beef it up" a bit. (see commit 
> 67440bc5959a639359bf1dd7d655915bf6e9e7f1). I suspect this is probably fixed in 
> devel.

Well, `fixed' is a tricky thing.  There is code in bash-4.4 to use malloc
instead of xmalloc -- which just aborts on failure -- but there is only so
much you can do to protect someone from himself.

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@case.edu    http://cnswww.cns.cwru.edu/~chet/