7 Bug-Reported-by: Julien Moutinho <julm+bash@sourcephile.fr>
8 Bug-Reference-ID: <20211004035906.5kiobuzkpeckmvwg@sourcephile.fr>
9 Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2021-10/msg00022.html
13 The bash malloc implementation of malloc_usable_size() does not follow the
14 specification. This can cause library functions that use it to overwrite
15 memory bounds checking.
17 Patch (apply with `patch -p0'):
19 *** ../bash-5.1-patched/lib/malloc/malloc.c 2020-07-08 10:19:30.000000000 -0400
20 --- lib/malloc/malloc.c 2021-10-05 16:10:55.000000000 -0400
25 ! /* XXX - should we return 0 if ISFREE? */
26 ! maxbytes = binsize(p->mh_index);
28 ! /* So the usable size is the maximum number of bytes in the bin less the
30 ! maxbytes -= MOVERHEAD + MSLOP;
37 ! /* return 0 if ISFREE */
38 ! if (p->mh_alloc == ISFREE)
41 ! /* Since we use bounds checking, the usable size is the last requested size. */
42 ! return (p->mh_nbytes);
45 *** ../bash-5.1/patchlevel.h 2020-06-22 14:51:03.000000000 -0400
46 --- patchlevel.h 2020-10-01 11:01:28.000000000 -0400
49 looks for to find the patch level (for the sccs version string). */
51 ! #define PATCHLEVEL 8
53 #endif /* _PATCHLEVEL_H_ */
55 looks for to find the patch level (for the sccs version string). */
57 ! #define PATCHLEVEL 9
59 #endif /* _PATCHLEVEL_H_ */