BASH PATCH REPORT ================= Bash-Release: 4.2 Patch-ID: bash42-003 Bug-Reported-by: Clark J. Wang Bug-Reference-ID: Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2011-02/msg00136.html Bug-Description: When using the pattern replacement and pattern removal word expansions, bash miscalculates the possible match length in the presence of an unescaped left bracket without a closing right bracket, resulting in a failure to match the pattern. Patch (apply with `patch -p0'): --- a/lib/glob/gmisc.c +++ b/lib/glob/gmisc.c @@ -77,8 +77,8 @@ wmatchlen (wpat, wmax) wchar_t *wpat; size_t wmax; { - wchar_t wc, *wbrack; - int matlen, t, in_cclass, in_collsym, in_equiv; + wchar_t wc; + int matlen, bracklen, t, in_cclass, in_collsym, in_equiv; if (*wpat == 0) return (0); @@ -118,58 +118,80 @@ wmatchlen (wpat, wmax) break; case L'[': /* scan for ending `]', skipping over embedded [:...:] */ - wbrack = wpat; + bracklen = 1; wc = *wpat++; do { if (wc == 0) { - matlen += wpat - wbrack - 1; /* incremented below */ - break; + wpat--; /* back up to NUL */ + matlen += bracklen; + goto bad_bracket; } else if (wc == L'\\') { - wc = *wpat++; - if (*wpat == 0) - break; + /* *wpat == backslash-escaped character */ + bracklen++; + /* If the backslash or backslash-escape ends the string, + bail. The ++wpat skips over the backslash escape */ + if (*wpat == 0 || *++wpat == 0) + { + matlen += bracklen; + goto bad_bracket; + } } else if (wc == L'[' && *wpat == L':') /* character class */ { wpat++; + bracklen++; in_cclass = 1; } else if (in_cclass && wc == L':' && *wpat == L']') { wpat++; + bracklen++; in_cclass = 0; } else if (wc == L'[' && *wpat == L'.') /* collating symbol */ { wpat++; + bracklen++; if (*wpat == L']') /* right bracket can appear as collating symbol */ - wpat++; + { + wpat++; + bracklen++; + } in_collsym = 1; } else if (in_collsym && wc == L'.' && *wpat == L']') { wpat++; + bracklen++; in_collsym = 0; } else if (wc == L'[' && *wpat == L'=') /* equivalence class */ { wpat++; + bracklen++; if (*wpat == L']') /* right bracket can appear as equivalence class */ - wpat++; + { + wpat++; + bracklen++; + } in_equiv = 1; } else if (in_equiv && wc == L'=' && *wpat == L']') { wpat++; + bracklen++; in_equiv = 0; } + else + bracklen++; } while ((wc = *wpat++) != L']'); matlen++; /* bracket expression can only match one char */ +bad_bracket: break; } } @@ -213,8 +235,8 @@ umatchlen (pat, max) char *pat; size_t max; { - char c, *brack; - int matlen, t, in_cclass, in_collsym, in_equiv; + char c; + int matlen, bracklen, t, in_cclass, in_collsym, in_equiv; if (*pat == 0) return (0); @@ -254,58 +276,80 @@ umatchlen (pat, max) break; case '[': /* scan for ending `]', skipping over embedded [:...:] */ - brack = pat; + bracklen = 1; c = *pat++; do { if (c == 0) { - matlen += pat - brack - 1; /* incremented below */ - break; + pat--; /* back up to NUL */ + matlen += bracklen; + goto bad_bracket; } else if (c == '\\') { - c = *pat++; - if (*pat == 0) - break; + /* *pat == backslash-escaped character */ + bracklen++; + /* If the backslash or backslash-escape ends the string, + bail. The ++pat skips over the backslash escape */ + if (*pat == 0 || *++pat == 0) + { + matlen += bracklen; + goto bad_bracket; + } } else if (c == '[' && *pat == ':') /* character class */ { pat++; + bracklen++; in_cclass = 1; } else if (in_cclass && c == ':' && *pat == ']') { pat++; + bracklen++; in_cclass = 0; } else if (c == '[' && *pat == '.') /* collating symbol */ { pat++; + bracklen++; if (*pat == ']') /* right bracket can appear as collating symbol */ - pat++; + { + pat++; + bracklen++; + } in_collsym = 1; } else if (in_collsym && c == '.' && *pat == ']') { pat++; + bracklen++; in_collsym = 0; } else if (c == '[' && *pat == '=') /* equivalence class */ { pat++; + bracklen++; if (*pat == ']') /* right bracket can appear as equivalence class */ - pat++; + { + pat++; + bracklen++; + } in_equiv = 1; } else if (in_equiv && c == '=' && *pat == ']') { pat++; + bracklen++; in_equiv = 0; } + else + bracklen++; } while ((c = *pat++) != ']'); matlen++; /* bracket expression can only match one char */ +bad_bracket: break; } } --- a/patchlevel.h +++ b/patchlevel.h @@ -25,6 +25,6 @@ regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh looks for to find the patch level (for the sccs version string). */ -#define PATCHLEVEL 2 +#define PATCHLEVEL 3 #endif /* _PATCHLEVEL_H_ */