several bash bugs

bug-bash
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
several bash bugs

From:	ingok
Subject:	several bash bugs
Date:	Sat, 3 Nov 2001 11:05:07 +0100
User-agent:	Mutt/1.3.20i
Hi,

i am currently programming a bash builtin that works on top
of the bash programmable completion and enables convenient 
completion of option arguments and other stuff.

I encountered the following bugs while working with the bash completion code
and especially while i was stress testing my builtin.

ingo

ingok@gmx.net



Bug: 
negative command length in programmable_completions() => segfault

Reproduced by:
        complete -F f cmd
        x=(cmd
position cursor on paren and hit TAB will cause a segfault

Patch:
retrieving revision 1.2
diff -u -r1.2 bashline.c
--- bashline.c  2 Sep 2001 20:55:28 -0000       1.2
+++ bashline.c  20 Oct 2001 18:16:43 -0000
@@ -886,7 +886,10 @@
       s = find_cmd_start (start);
       e = find_cmd_end (end);
       n = find_cmd_name (s);
-      prog_complete_matches = programmable_completions (n, text, s, e, 
&foundcs);
+      if (e>s)
+       prog_complete_matches = programmable_completions (n, text, s, e, 
&foundcs);
+      else
+       foundcs=0;      
       FREE (n);
       /* XXX - if we found a COMPSPEC for the command, just return whatever
         the programmable completion code returns, and disable the default

Comment:
quick hack; one should look at find_cmd_start() and find_cmd_end()



Bug: split_at_delims() loops indefinetly  => OOM

Reproduced by:
           complete -F f cmd
           cmd x${
position cursor after brace and hit TAB will cause OOM

Patch: (probably should remove those lengthy comments before applying)
diff -u -r1.1.1.1 subst.c
--- subst.c     2 Sep 2001 13:00:03 -0000       1.1.1.1
+++ subst.c     3 Nov 2001 09:45:18 -0000
@@ -1150,15 +1150,26 @@
       else if (string[i] == '$' && (string[i+1] == LPAREN || string[i+1] == 
LBRACE))
        {
          si = i + 2;
+#if 0
+         /* this has been removed in order to handle this case like other
+             unfinished parameter/command expansions
+            (at least i has to be set to si before returning (or OOM boom)) */
          if (string[si] == '\0')
            break;
+#endif
          if (string[i+1] == LPAREN)
            temp = extract_delimited_string (string, &si, "$(", "(", ")"); /* ) 
*/
          else
            temp = extract_dollar_brace_string (string, &si, 0);
          i = si;
          free (temp);
-         continue;
+         if (string[i] == '\0')
+           /* if we continue here string[i] is checked only after i has been
+              incremented, which causes i to go over the end of string in case
+              of an unfinished parameter/command expansions */
+           break; 
+         else
+           continue;
        }
       else if (member (string[i], delims))
        break;
@@ -1225,11 +1236,22 @@
       /* If we have a non-whitespace delimiter character, use it to make a
         separate field.  This is just about what $IFS splitting does and
         is closer to the behavior of the shell parser. */
-      if (ts == te && d2 && member (string[ts], d2))
+      if (ts == te) 
        {
-         te = ts + 1;
-         while (member (string[te], d2))
-           te++;
+         if (d2 && member (string[ts], d2))
+           {
+             te = ts + 1;
+             while (member (string[te], d2))
+               te++;
+           }
+         else 
+           {
+             /* skip_to_delim() found unfinished '${' or '$('
+              with the changes in skip_to_delim() this case will not happen.
+             but IF it happens it causes an OOM if te is not incremented here 
*/
+             report_error("bash: skip_to_delim error\n");
+             te = ts + 2;
+           }
        }
 
       token = substring (string, ts, te);

Comment:
the important changes have been made in skip_to_delim() and i have no idea
if there are any implications for code outside the completion code.



Bug: 
empty itemlist in gen_action_completions()  => segfault

Reproduced by:
        unalias -a
        complete -a cmd
        cmd 
position cursor after 'cmd' and hit TAB will cause a segfault

Patch:
diff -u -r1.1.1.1 pcomplete.c
--- pcomplete.c 2 Sep 2001 13:00:03 -0000       1.1.1.1
+++ pcomplete.c 14 Oct 2001 20:22:00 -0000
@@ -668,7 +668,7 @@
 
 #define GEN_COMPS(bmap, flag, it, text, glist, tlist) \
   do { \
-    if (bmap & flag) \
+    if ((bmap & flag) && (it)##->slist) \
       { \
        tlist = gen_matches_from_itemlist (it, text); \
        glist = append_stringlist (glist, tlist); \



Bug: 
split_at_delims() looses non-whitespace delimiters => 
COMP_WORDS is not correct when words are seperated by non-whitespace characters

Example:
        "cat a>>b"  is split into  "cat" "a" ">" "b"
        "cat a>b"   is split into  "cat" "a" "b"


Patch: (line numbers of the patch are wrong due to the other patch)
--- subst.c     2 Sep 2001 13:00:03 -0000       1.1.1.1
+++ subst.c     21 Oct 2001 10:42:49 -0000
@@ -1262,7 +1278,7 @@
       if (string[te] == 0)
        break;
 
-      i = te + member (string[te], d);
+      i = te; // + member (string[te], d);
       while (member (string[i], d) && whitespace(string[i]))
        i++;

Comment:
seems to work but the first encountered delimiter seemed to have been 
deliberatly
skipped no matter if whitespace or not, so may be i am missing something 
and sth else is broken now.
[Prev in Thread]
Current Thread
[Next in Thread]
several bash bugs, ingok <=
- Re: several bash bugs, Andreas Schwab, 2001/11/06
Prev by Date: Re: suspend bug [revisited]
Next by Date: FREE E-BOOKS!
Previous by thread: Re: suspend bug [revisited]
Next by thread: Re: several bash bugs
Index(es):
- Date
- Thread