summaryrefslogtreecommitdiff
path: root/source/a/bash/bash-5.1-patches/bash51-009
blob: 2796c3b9b3cd11e5eac273ef2857fdbb47980c84 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
			     BASH PATCH REPORT
			     =================

Bash-Release:	5.1
Patch-ID:	bash51-009

Bug-Reported-by:	Julien Moutinho <julm+bash@sourcephile.fr>
Bug-Reference-ID:	<20211004035906.5kiobuzkpeckmvwg@sourcephile.fr>
Bug-Reference-URL:	https://lists.gnu.org/archive/html/bug-bash/2021-10/msg00022.html

Bug-Description:

The bash malloc implementation of malloc_usable_size() does not follow the
specification. This can cause library functions that use it to overwrite
memory bounds checking.

Patch (apply with `patch -p0'):

*** ../bash-5.1-patched/lib/malloc/malloc.c	2020-07-08 10:19:30.000000000 -0400
--- lib/malloc/malloc.c	2021-10-05 16:10:55.000000000 -0400
***************
*** 1287,1297 ****
      }
  
!   /* XXX - should we return 0 if ISFREE? */
!   maxbytes = binsize(p->mh_index);
! 
!   /* So the usable size is the maximum number of bytes in the bin less the
!      malloc overhead */
!   maxbytes -= MOVERHEAD + MSLOP;
!   return (maxbytes);
  }
  
--- 1358,1367 ----
      }
  
!   /* return 0 if ISFREE */
!   if (p->mh_alloc == ISFREE)
!     return 0;
!   
!   /* Since we use bounds checking, the usable size is the last requested size. */
!   return (p->mh_nbytes);
  }
  
*** ../bash-5.1/patchlevel.h	2020-06-22 14:51:03.000000000 -0400
--- patchlevel.h	2020-10-01 11:01:28.000000000 -0400
***************
*** 26,30 ****
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 8
  
  #endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 9
  
  #endif /* _PATCHLEVEL_H_ */