BASH PATCH REPORT ================= Bash-Release: 4.4 Patch-ID: bash44-003 Bug-Reported-by: op7ic \x00 <op7ica@gmail.com> Bug-Reference-ID: <CAFHyJTopWC5Jx+U7WcvxSZKu+KrqSf+_3sHPiRWo=VzXSiPq=w@mail.gmail.com> Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2016-11/msg00005.html Bug-Description: Specially-crafted input, in this case an incomplete pathname expansion bracket expression containing an invalid collating symbol, can cause the shell to crash. Patch (apply with `patch -p0'): *** ../bash-4.4/lib/glob/sm_loop.c 2016-04-10 11:23:21.000000000 -0400 --- lib/glob/sm_loop.c 2016-11-02 14:03:34.000000000 -0400 *************** *** 331,334 **** --- 331,340 ---- if (p[pc] == L('.') && p[pc+1] == L(']')) break; + if (p[pc] == 0) + { + if (vp) + *vp = INVALID; + return (p + pc); + } val = COLLSYM (p, pc); if (vp) *************** *** 484,487 **** --- 490,496 ---- c = FOLD (c); + if (c == L('\0')) + return ((test == L('[')) ? savep : (CHAR *)0); + if ((flags & FNM_PATHNAME) && c == L('/')) /* [/] can never match when matching a pathname. */ *** ../bash-4.4/patchlevel.h 2016-06-22 14:51:03.000000000 -0400 --- patchlevel.h 2016-10-01 11:01:28.000000000 -0400 *************** *** 26,30 **** looks for to find the patch level (for the sccs version string). */ ! #define PATCHLEVEL 2 #endif /* _PATCHLEVEL_H_ */ --- 26,30 ---- looks for to find the patch level (for the sccs version string). */ ! #define PATCHLEVEL 3 #endif /* _PATCHLEVEL_H_ */