Re: v4.4 segfault in 'decode_prompt_string' when processing special parameter
Thanks for taking the time to explain that :) I'll do more homework next
time
On Sat, Jul 21, 2018, 8:51 PM Chet Ramey wrote:
> On 7/21/18 9:16 PM, Chris Schoenberg wrote:
> > Fair enough. Even though the behavior is different, the end is the same
> as
> > udf so makes sense of you want to leave it. Weird how it popped up in 4.4
> > though.
>
> The ${param@op} expansions were introduced in bash-4.4.
>
> --
> ``The lyf so short, the craft so long to lerne.'' - Chaucer
> ``Ars longa, vita brevis'' - Hippocrates
> Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/
>
Re: v4.4 segfault in 'decode_prompt_string' when processing special parameter
On 7/21/18 9:16 PM, Chris Schoenberg wrote:
> Fair enough. Even though the behavior is different, the end is the same as
> udf so makes sense of you want to leave it. Weird how it popped up in 4.4
> though.
The ${param@op} expansions were introduced in bash-4.4.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/
Re: v4.4 segfault in 'decode_prompt_string' when processing special parameter
Fair enough. Even though the behavior is different, the end is the same as
udf so makes sense of you want to leave it. Weird how it popped up in 4.4
though.
On Sat, Jul 21, 2018, 6:58 PM Chet Ramey wrote:
> On 7/21/18 2:47 PM, Chris Schoenberg wrote:
> > This only works in 4.4; earlier versions throw a 'bad substitution'
> error. It
> > causes an infinite loop of calls between 'expand_prompt_string' and
> > 'decode_prompt_string',
> > where calls to 'xmalloc' exhaust the heap:
> >
> > $\{_@P};${_@P}
> >
> > I decided to report this because it is not a user-defined recursive
> > function and it exhausts the heap rather than the stack.
>
> It's user-defined recursive parameter expansion. A string that undergoes
> prompt expansion performs parameter expansion, as documented. If that
> parameter expansion passes the same string to prompt expansion, which
> performs parameter expansion, you've got user-defined recursion.
>
> --
> ``The lyf so short, the craft so long to lerne.'' - Chaucer
> ``Ars longa, vita brevis'' - Hippocrates
> Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/
>
Re: v4.4 segfault in 'decode_prompt_string' when processing special parameter
On 7/21/18 2:47 PM, Chris Schoenberg wrote:
> This only works in 4.4; earlier versions throw a 'bad substitution' error. It
> causes an infinite loop of calls between 'expand_prompt_string' and
> 'decode_prompt_string',
> where calls to 'xmalloc' exhaust the heap:
>
> $\{_@P};${_@P}
>
> I decided to report this because it is not a user-defined recursive
> function and it exhausts the heap rather than the stack.
It's user-defined recursive parameter expansion. A string that undergoes
prompt expansion performs parameter expansion, as documented. If that
parameter expansion passes the same string to prompt expansion, which
performs parameter expansion, you've got user-defined recursion.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/
Re: v4.4 segfault in 'decode_prompt_string' when processing special parameter
The payload got filtered, so here it is again (substitute the actual
character for [at]):
$\{_[at]P};${_[at]P}
On Sat, Jul 21, 2018, 1:47 PM Chris Schoenberg wrote:
> This only works in 4.4; earlier versions throw a 'bad substitution' error. It
> causes an infinite loop of calls between 'expand_prompt_string' and
> 'decode_prompt_string',
> where calls to 'xmalloc' exhaust the heap:
>
...
>
v4.4 segfault in 'decode_prompt_string' when processing special parameter
This only works in 4.4; earlier versions throw a 'bad substitution' error. It
causes an infinite loop of calls between 'expand_prompt_string' and
'decode_prompt_string',
where calls to 'xmalloc' exhaust the heap:
$\{_@P};${_@P}
I decided to report this because it is not a user-defined recursive
function and it exhausts the heap rather than the stack.
Here is a call trace that just repeats itself as you go back further (you
can see #7 and #0 are the same):
#0 decode_prompt_string (string=0x8dca08 "${_@P}") at
/usr/homes/chet/src/bash/src/parse.y:5471
#1 0x004cf5e0 in string_transform (xc=, v=0x84ca88,
s=0x8dca08 "${_@P}") at subst.c:5127
#2 0x004cc7c5 in parameter_brace_transform (varname=, value=, ind=, xform=,
rtype=0,
quoted=, flags=) at subst.c:5263
#3 0x004c5a3d in parameter_brace_expand (string=,
quoted=, pflags=,
contains_dollar_at=,
indexp=, quoted_dollar_atp=) at
subst.c:8364
#4 param_expand (string=, sindex=,
quoted=, expanded_something=,
contains_dollar_at=, quoted_dollar_at_p=,
had_quoted_null_p=, pflags=) at subst.c:8740
#5 0x004b2640 in expand_word_internal (word=,
quoted=, isexp=,
contains_dollar_at=,
expanded_something=) at subst.c:9301
#6 0x004b16ca in expand_prompt_string (string=0x8dc908 "${_@P}",
quoted=1, wflags=) at subst.c:3732
#7 0x00434fe0 in decode_prompt_string (string=) at
/usr/homes/chet/src/bash/src/parse.y:5833
