BASH PATCH REPORT ================= Bash-Release: 4.4 Patch-ID: bash44-006 Bug-Reported-by: <fernando@null-life.com> Bug-Reference-ID: <CAEr-gPFPvqheiAeENmMkEwWRd4U=1iqCsYmR3sLdULOqL++_tQ@mail.gmail.com> Bug-Reference-URL: Bug-Description: Out-of-range negative offsets to popd can cause the shell to crash attempting to free an invalid memory block. Patch (apply with `patch -p0'): *** ../bash-4.4-patched/builtins/pushd.def 2016-01-25 13:31:49.000000000 -0500 --- builtins/pushd.def 2016-10-28 10:46:49.000000000 -0400 *************** *** 366,370 **** } ! if (which > directory_list_offset || (directory_list_offset == 0 && which == 0)) { pushd_error (directory_list_offset, which_word ? which_word : ""); --- 366,370 ---- } ! if (which > directory_list_offset || (which < -directory_list_offset) || (directory_list_offset == 0 && which == 0)) { pushd_error (directory_list_offset, which_word ? which_word : ""); *************** *** 388,391 **** --- 388,396 ---- of the list into place. */ i = (direction == '+') ? directory_list_offset - which : which; + if (i < 0 || i > directory_list_offset) + { + pushd_error (directory_list_offset, which_word ? which_word : ""); + return (EXECUTION_FAILURE); + } free (pushd_directory_list[i]); directory_list_offset--; *** ../bash-4.4/patchlevel.h 2016-06-22 14:51:03.000000000 -0400 --- patchlevel.h 2016-10-01 11:01:28.000000000 -0400 *************** *** 26,30 **** looks for to find the patch level (for the sccs version string). */ ! #define PATCHLEVEL 5 #endif /* _PATCHLEVEL_H_ */ --- 26,30 ---- looks for to find the patch level (for the sccs version string). */ ! #define PATCHLEVEL 6 #endif /* _PATCHLEVEL_H_ */