From: Eric Li <lixiaoyi13691419...@gmail.com> To: bug-bash@gnu.org Subject: Integer overflow of i in string_extract_verbatim
Configuration Information [Automatically generated, do not change]: Machine: x86_64 OS: linux-gnu Compiler: gcc Compilation CFLAGS: -g -Og uname output: Linux fedora 6.2.12-200.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Apr 20 23:38:29 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux Machine Type: x86_64-pc-linux-gnu Bash Version: 5.2 Patch Level: 15 Release Status: release Description: Bash runs into segmentation fault when spawning a process with argc larger than 2GB. Can debug using GDB and observe that subst.c:1204 (string_extract_verbatim, "while (c = string[i])") crashes because i = -2147483648. string[i] points to invalid memory. Repeat-By: 1. Put the following shell script to a.sh: A='aaaaaaaaaaaaaaaaaaaaaaaa' A="$A$A$A$A" A="$A$A$A$A" A="$A$A$A$A" A="$A$A$A$A" A="$A$A$A$A" A="$A$A$A$A" A="$A$A$A$A" A="$A$A$A$A" A="$A$A$A$A" A="$A$A$A$A" A="$A$A$A$A" set -o pipefail echo $A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A$A | wc echo $? echo done 2. Run "./bash a.sh" 3. See a.sh: line 15: ... Segmentation fault (core dumped) 4. Use the following command to debug with GDB gdb ./bash --ex 'set follow-fork-mode child' --ex 'r a.sh' 5. See GDB output similar to following: Thread 2.1 "bash" received signal SIGSEGV, Segmentation fault. ... in string_extract_verbatim (...) at subst.c:1204 1204 while (c = string[i]) 6. Using GDB, can see that i = -2147483648. Fix: In string_extract_verbatim, change "int i" to "size_t i". Also need to change other places, including: * Argument sindex of string_extract_verbatim * Variable sindex of get_word_from_string * Variable sindex of get_word_from_string * Argument sindex of string_extract_single_quoted * ...