BASH PATCH REPORT ================= Bash-Release: 4.3 Patch-ID: bash43-041 Bug-Reported-by: Hanno Böck Bug-Reference-ID: <20150623131106.6f111da9@pc1>, <20150707004640.0e61d2f9@pc1> Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2015-06/msg00089.html, http://lists.gnu.org/archive/html/bug-bash/2015-07/msg00018.html Bug-Description: There are several out-of-bounds read errors that occur when completing command lines where assignment statements appear before the command name. The first two appear only when programmable completion is enabled; the last one only happens when listing possible completions. Patch (apply with `patch -p0'): --- a/bashline.c +++ b/bashline.c @@ -1468,10 +1468,23 @@ attempt_shell_completion (text, start, e os = start; n = 0; + was_assignment = 0; s = find_cmd_start (os); e = find_cmd_end (end); do { + /* Don't read past the end of rl_line_buffer */ + if (s > rl_end) + { + s1 = s = e1; + break; + } + /* Or past point if point is within an assignment statement */ + else if (was_assignment && s > rl_point) + { + s1 = s = e1; + break; + } /* Skip over assignment statements preceding a command name. If we don't find a command name at all, we can perform command name completion. If we find a partial command name, we should perform --- a/lib/readline/complete.c +++ b/lib/readline/complete.c @@ -689,6 +689,8 @@ printable_part (pathname) if (temp == 0 || *temp == '\0') return (pathname); + else if (temp[1] == 0 && temp == pathname) + return (pathname); /* If the basename is NULL, we might have a pathname like '/usr/src/'. Look for a previous slash and, if one is found, return the portion following that slash. If there's no previous slash, just return the --- a/patchlevel.h +++ b/patchlevel.h @@ -25,6 +25,6 @@ regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh looks for to find the patch level (for the sccs version string). */ -#define PATCHLEVEL 40 +#define PATCHLEVEL 41 #endif /* _PATCHLEVEL_H_ */