Integer overflow in command substitution

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Integer overflow in command substitution

Siteshwar Vashisht-2
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='x86_64' -DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='x86_64-redhat-linux-gnu' -DCONF_VENDOR='redhat' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL -DHAVE_CONFIG_H   -I.  -I. -I./include -I./lib  -D_GNU_SOURCE -DRECYCLES_PIDS -DDEFAULT_PATH_VALUE='/usr/local/bin:/usr/bin'  -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -Wno-parentheses -Wno-format-security
uname output: Linux localhost.localdomain 4.13.12-200.fc26.x86_64 #1 SMP Wed Nov 8 16:47:26 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Machine Type: x86_64-redhat-linux-gnu

Bash Version: 4.4
Patch Level: 12
Release Status: release

Repeat-By:
        $ bash -c 'true $(yes xxxxxxxxxxxxxxxx)'
        bash: xrealloc: cannot allocate 18446744071562067968 bytes

Fix:
        Attached patch fixes this issue.

--
--
Siteshwar Vashisht

0001-Avoid-integer-overflow-while-allocating-memory-in-re.patch (910 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Integer overflow in command substitution

Eduardo Bustamante
On Thu, Nov 16, 2017 at 06:50:59AM -0500, Siteshwar Vashisht wrote:
[...]
> Bash Version: 4.4
> Patch Level: 12
> Release Status: release
>
> Repeat-By:
>         $ bash -c 'true $(yes xxxxxxxxxxxxxxxx)'
>         bash: xrealloc: cannot allocate 18446744071562067968 bytes

Interesting! I think this might explain the behavior reported in:
  https://lists.nongnu.org/archive/html/bug-bash/2017-11/msg00051.html