[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
out of bounds in bashline.c attempt_shell_completion
From: |
David Krause |
Subject: |
out of bounds in bashline.c attempt_shell_completion |
Date: |
Tue, 25 May 2004 16:26:11 -0500 |
User-agent: |
Mutt/1.4.1i |
Configuration Information:
Machine: i386
OS: openbsd3.5
Compiler: cc
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='i386'
-DCONF_OSTYPE='openbsd3.5' -DCONF_MACHTYPE='i386-unknown-openbsd3.5'
-DCONF_VENDOR='unknown' -DSHELL -DHAVE_CONFIG_H -I.
-I/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b
-I/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/include
-I/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/lib -O2
uname output: OpenBSD celtic.netcentral.net 3.5 NETCENTRAL#2 i386
Machine Type: i386-unknown-openbsd3.5
Bash Version: 2.05b
Patch Level: 0
Release Status: release
Description:
Core was generated by `bash'.
Program terminated with signal 11, Segmentation fault.
#0 0x1c0284e6 in attempt_shell_completion (text=0x3c0697e0 "/usr/loc",
start=0, end=8)
at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/bashline.c:925
925 if (rl_line_buffer[ti] == '"' || rl_line_buffer[ti] == '\'')
(gdb) bt
#0 0x1c0284e6 in attempt_shell_completion (text=0x3c0697e0 "/usr/loc",
start=0, end=8)
at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/bashline.c:925
#1 0x1c0442e1 in gen_completion_matches (text=0x3c0697e0 "/usr/loc", start=0,
end=8, our_func=0x1c045448 <rl_filename_completion_function>,
found_quote=0, quote_char=0)
at
/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/lib/readline/complete.c:794
#2 0x1c04508a in rl_complete_internal (what_to_do=9)
at
/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/lib/readline/complete.c:1486
#3 0x1c043aaa in rl_complete (ignore=1, invoking_key=9)
at
/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/lib/readline/complete.c:322
#4 0x1c04063e in _rl_dispatch_subseq (key=9, map=0x3c02e220, got_subseq=0)
at
/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/lib/readline/readline.c:580
#5 0x1c0404fa in _rl_dispatch (key=9, map=0x3c02e220)
at
/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/lib/readline/readline.c:529
#6 0x1c0403b9 in readline_internal_char ()
at
/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/lib/readline/readline.c:443
#7 0x1c04047d in readline_internal_charloop ()
at
/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/lib/readline/readline.c:489
#8 0x1c040498 in readline_internal ()
at
/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/lib/readline/readline.c:503
#9 0x1c040111 in readline (prompt=0x3c069140 "-bash-2.05b# ")
at
/usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/lib/readline/readline.c:299
#10 0x1c0025d8 in yy_readline_get ()
at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/parse.y:1108
#11 0x1c002539 in yy_getc ()
at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/parse.y:1042
#12 0x1c002d25 in shell_getc (remove_quoted_newline=1)
at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/parse.y:1803
#13 0x1c003710 in read_token (command=0)
at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/parse.y:2414
#14 0x1c00322b in yylex ()
at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/parse.y:2084
#15 0x1c006cb4 in yyparse () at y.tab.c:4700
#16 0x1c00234d in parse_command ()
at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/eval.c:217
#17 0x1c002402 in read_command ()
at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/eval.c:261
#18 0x1c00219f in reader_loop ()
at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/eval.c:128
#19 0x1c0009e6 in main (argc=1, argv=0xcfbf4d3c, env=0xcfbf4d44)
at /usr/ports/shells/bash2/w-bash-2.05b-static/bash-2.05b/shell.c:680
#20 0x1c000211 in ___start ()
(gdb) p rl_line_buffer
$1 = 0x3c047000 "/usr/loc"
(gdb) p ti
$2 = -1
(gdb) p rl_line_buffer[ti]
Cannot access memory at address 0x3c046fff.
Repeat-By:
This crash occurs on both OpenBSD 3.5-stable and 3.5-current when
malloc debugging options are used (ln -s AJFG /etc/malloc.conf). Trying
to complete "/usr/loc"(tab) will occasionally crash the whole shell. It
looks like the array index is -1 and then it tries to get the value at
array[-1].
If you type "/usr/loc" and press tab, then attempt_shell_completion
is called with start=0. Then the code sets ti = start - 1, which means
ti=-1 and the quote check trys to read rl_line_buffer[-1] going out of
bounds. It looks this happens on Linux too, albeit without a crash.
David
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- out of bounds in bashline.c attempt_shell_completion,
David Krause <=