diff options
| author | Alex Harpin <development@landsofshadow.co.uk> | 2014-09-27 16:17:56 +0100 |
|---|---|---|
| committer | Alex Harpin <development@landsofshadow.co.uk> | 2014-09-27 16:40:28 +0100 |
| commit | 577281feecdcc562b6cdb1e3eabbc7abe43dc752 (patch) | |
| tree | 2321caf83366834972377cf0d12673bc0dc13731 /parse.y | |
| parent | e538444ae4325bb1f6b35155ffd13ea1b2ab9bcd (diff) | |
| download | vyatta-bash-577281feecdcc562b6cdb1e3eabbc7abe43dc752.tar.gz vyatta-bash-577281feecdcc562b6cdb1e3eabbc7abe43dc752.zip | |
vyatta-bash: import patch from Redhat for CVE-2014-7169
Import the patch from RedHat to fix CVE-2014-7169, reported following
the fix for CVE-2014-6271 that didn't completely fix the issue.
Original Author : Ondrej Oprala <ooprala@redhat.com>
http://pkgs.fedoraproject.org/cgit/bash.git/
commit/?h=f20&id=9766d4f8827c16deaf3681bb52859bb3828bcc4b
Related to Bug #324
Bug #326 http://bugzilla.vyos.net/show_bug.cgi?id=326
Diffstat (limited to 'parse.y')
| -rw-r--r-- | parse.y | 26 |
1 files changed, 18 insertions, 8 deletions
@@ -261,9 +261,19 @@ int parser_state; /* Variables to manage the task of reading here documents, because we need to defer the reading until after a complete command has been collected. */ -static REDIRECT *redir_stack[10]; +static REDIRECT **redir_stack; int need_here_doc; +/* Pushes REDIR onto redir_stack, resizing it as needed. */ +static void push_redir_stack (REDIRECT *redir) +{ + /* Guard against oveflow. */ + if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack)) + abort (); + redir_stack = xrealloc (redir_stack, (need_here_doc + 1) * sizeof (*redir_stack)); + redir_stack[need_here_doc++] = redir; +} + /* Where shell input comes from. History expansion is performed on each line when the shell is interactive. */ static char *shell_input_line = (char *)NULL; @@ -516,42 +526,42 @@ redirection: '>' WORD source.dest = 0; redir.filename = $2; $$ = make_redirection (source, r_reading_until, redir, 0); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | NUMBER LESS_LESS WORD { source.dest = $1; redir.filename = $3; $$ = make_redirection (source, r_reading_until, redir, 0); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | REDIR_WORD LESS_LESS WORD { source.filename = $1; redir.filename = $3; $$ = make_redirection (source, r_reading_until, redir, REDIR_VARASSIGN); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | LESS_LESS_MINUS WORD { source.dest = 0; redir.filename = $2; $$ = make_redirection (source, r_deblank_reading_until, redir, 0); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | NUMBER LESS_LESS_MINUS WORD { source.dest = $1; redir.filename = $3; $$ = make_redirection (source, r_deblank_reading_until, redir, 0); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | REDIR_WORD LESS_LESS_MINUS WORD { source.filename = $1; redir.filename = $3; $$ = make_redirection (source, r_deblank_reading_until, redir, REDIR_VARASSIGN); - redir_stack[need_here_doc++] = $$; + push_redir_stack ($$); } | LESS_LESS_LESS WORD { @@ -4746,7 +4756,7 @@ got_token: case CASE: case SELECT: case FOR: - if (word_top < MAX_CASE_NEST) + if (word_top + 1 < MAX_CASE_NEST) word_top++; word_lineno[word_top] = line_number; break; |