bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Segmentation fault in pat_subst


From: Eduardo A . Bustamante López
Subject: Segmentation fault in pat_subst
Date: Sat, 20 Jul 2019 15:23:00 -0700
User-agent: Mutt/1.10.1 (2018-07-13)

Bash `devel' crashes under the following circumstances:

| dualbus@system76-pc:/tmp/build-bash-devel$ CFLAGS='-O0 -ggdb' 
~/src/gnu/bash/configure --with-bash-malloc
| (...)
| dualbus@system76-pc:/tmp/build-bash-devel$ make -j$(nproc)
| (...)
| dualbus@system76-pc:/tmp/build-bash-devel$ ./bash -c $'x=0; : 
${x/#[0\xef\xbf\xbd\\Z[:]]}'
| Segmentation fault (core dumped)


Here's the stack trace:

| dualbus@system76-pc:/tmp/build-bash-devel$ gdb ./bash --args ./bash -c $'x=0; 
: ${x/#[0\xef\xbf\xbd\\Z[:]]}'
| GNU gdb (Debian 8.2.1-2+b1) 8.2.1
| (...)
| Reading symbols from ./bash...done.
| (gdb) r
| Starting program: /tmp/build-bash-devel/bash -c x=0\;\ :\ 
\$\{x/\#\[0�\\Z\[:\]\]\}
| 
| Program received signal SIGSEGV, Segmentation fault.
| 0x00005555555d1fae in pat_subst (string=0x55555575f298 "0", 
pat=0x555555764509 "[0�\\Z[:]]", rep=0x0, mflags=1) at 
/home/dualbus/src/gnu/bash/subst.c:8136
| 8136      if (str && *str)
| (gdb) bt
| #0  0x00005555555d1fae in pat_subst (string=0x55555575f298 "0", 
pat=0x555555764509 "[0�\\Z[:]]", rep=0x0, mflags=1) at 
/home/dualbus/src/gnu/bash/subst.c:8136
| #1  0x00005555555d250b in parameter_brace_patsub (varname=0x55555575f248 "x", 
value=0x55555575f288 "0", ind=0, patsub=0x555555763f48 "#[0�\\Z[:]]", quoted=0, 
pflags=0, flags=0)
|     at /home/dualbus/src/gnu/bash/subst.c:8306
| #2  0x00005555555d47e2 in parameter_brace_expand (string=0x555555763f28 
"${x/#[0�\\Z[:]]}", indexp=0x7fffffffe0d8, quoted=0, pflags=0, 
quoted_dollar_atp=0x7fffffffe1d4,
|     contains_dollar_at=0x7fffffffe1cc) at 
/home/dualbus/src/gnu/bash/subst.c:9028
| #3  0x00005555555d5ae8 in param_expand (string=0x555555763f28 
"${x/#[0�\\Z[:]]}", sindex=0x7fffffffe1d8, quoted=0, 
expanded_something=0x7fffffffe374, contains_dollar_at=0x7fffffffe1cc,
|     quoted_dollar_at_p=0x7fffffffe1d4, had_quoted_null_p=0x7fffffffe1d0, 
pflags=0) at /home/dualbus/src/gnu/bash/subst.c:9557
| #4  0x00005555555d6ed8 in expand_word_internal (word=0x555555763f68, 
quoted=0, isexp=0, contains_dollar_at=0x7fffffffe370, 
expanded_something=0x7fffffffe374)
|     at /home/dualbus/src/gnu/bash/subst.c:10125
| #5  0x00005555555da0b6 in shell_expand_word_list (tlist=0x555555763f88, 
eflags=31) at /home/dualbus/src/gnu/bash/subst.c:11504
| #6  0x00005555555da3bb in expand_word_list_internal (list=0x555555763948, 
eflags=31) at /home/dualbus/src/gnu/bash/subst.c:11628
| #7  0x00005555555d95b9 in expand_words (list=0x555555763948) at 
/home/dualbus/src/gnu/bash/subst.c:11148
| #8  0x00005555555a51d9 in execute_simple_command 
(simple_command=0x5555557639c8, pipe_in=-1, pipe_out=-1, async=0, 
fds_to_close=0x555555763a88)
|     at /home/dualbus/src/gnu/bash/execute_cmd.c:4334
| #9  0x000055555559ed6b in execute_command_internal (command=0x555555763988, 
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x555555763a88)
|     at /home/dualbus/src/gnu/bash/execute_cmd.c:823
| #10 0x00005555555a2116 in execute_connection (command=0x555555763a48, 
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x555555763a88) at 
/home/dualbus/src/gnu/bash/execute_cmd.c:2707
| #11 0x000055555559f134 in execute_command_internal (command=0x555555763a48, 
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x555555763a88)
|     at /home/dualbus/src/gnu/bash/execute_cmd.c:996
| #12 0x0000555555609e4d in parse_and_execute (string=0x5555557632c8 "x=0; : 
${x/#[0�\\Z[:]]}", from_file=0x55555566b0f0 "-c", flags=4)
|     at /home/dualbus/src/gnu/bash/builtins/evalstring.c:458
| #13 0x0000555555585632 in run_one_command (command=0x7fffffffebdc "x=0; : 
${x/#[0�\\Z[:]]}") at /home/dualbus/src/gnu/bash/shell.c:1424
| #14 0x000055555558477d in main (argc=3, argv=0x7fffffffe8f8, 
env=0x7fffffffe918) at /home/dualbus/src/gnu/bash/shell.c:735
| 
| (gdb) p str
| $1 = 0xdfdfdfdfdfdfdfdf <error: Cannot access memory at address 
0xdfdfdfdfdfdfdfdf>

I have been looking around but I don't understand what's going on. I can see
that the value of `str' comes from `e', which in turn comes from
`match_pattern', but it's not clear to me why this is happening.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]