Debian Bug report logs - #261142
bash: ~/../``/<tab> => assertion botched, free: start and end chunk sizes differ

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Samuel Thibault <samuel.thibault@ens-lyon.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: bash: ~/../``/<tab> => assertion botched, free: start and end chunk sizes differ

Date: Sat, 24 Jul 2004 00:24:27 +0200

Package: bash
Version: 2.05b-22
Severity: normal
Tags: upstream

Hi,

When trying to auto-complete ~/../``/, I just get:
malloc: bashline.c:1340: assertion botched
free: start and end chunk sizes differ
last command: kill -9 %2
Stopping myself...

ie:

        {
          if (freetemp)
>>          free (temp);
          free (val);
          goto inner;
        }

What's wrong is above:

          if (*hint_text == '~')
            {
              int l, tl, vl;
              vl = strlen (val);
              tl = strlen (hint_text);
              l = vl - hint_len;        /* # of chars added */
              temp = (char *)xmalloc (l + 2 + tl);
              strcpy (temp, hint_text);
              strcpy (temp + tl, val + vl - l);
            }

since when coming to this point hint_text is of course "~/../``/", hint
is "/home/samy/../``/" (hence hint_len == 17), but val is "/home/samy",
ie shorter than hint, hence l == -7, and the second strcpy goes out from
val !

What gets wrong here is assuming that hint will be shorter than
val. Why is this wrong here ? Because of
bash_directory_completion_hook():

...
  if (!no_symbolic_links && (local_dirname[0] != '.' || local_dirname[1]))
    {
      t = get_working_directory ("symlink-hook");
      temp1 = make_absolute (local_dirname, t);
      free (t);
      temp2 = sh_canonpath (temp1, PATH_CHECKDOTDOT|PATH_CHECKEXISTS);

which indeed *shortens* the path: make it absolute (nothing to do thanks
to ~ expansion), and most of all canonicalize it, ie replace
"/home/samy/..//" by just "/home" !  As a result, val gets
"/home/samy".


In any case, assuming that hint is a prefix of val and getting the added
filename this way is wrong, I'd suggest the following patch:

--- bashline-old.c	2004-07-24 00:07:08.000000000 +0200
+++ bashline.c	2004-07-24 00:21:27.000000000 +0200
@@ -1299,13 +1299,18 @@
 	     filename. */
 	  if (*hint_text == '~')
 	    {
-	      int l, tl, vl;
-	      vl = strlen (val);
+	      char *added_filename;
+	      int l,tl;
+	      added_filename = strrchr(val,'/');
+	      if (!added_filename)
+		added_filename = val;	/* shouldn't happen, but who knows */
+	      else
+		added_filename++;
 	      tl = strlen (hint_text);
-	      l = vl - hint_len;	/* # of chars added */
+	      l = strlen(val)-(added_filename-val);	/* # of chars added */
 	      temp = (char *)xmalloc (l + 2 + tl);
 	      strcpy (temp, hint_text);
-	      strcpy (temp + tl, val + vl - l);
+	      strcpy (temp + tl, added_filename);
 	    }
 	  else
 	    temp = savestring (val);

Regards,
Samuel Thibault

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.7
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro

Versions of packages bash depends on:
ii  base-files                  3.0.16       Debian base system miscellaneous f
ii  libc6                       2.3.2.ds1-13 GNU C Library: Shared libraries an
ii  libncurses5                 5.4-4        Shared libraries for terminal hand
ii  passwd                      1:4.0.3-29.1 Change and administer password and

-- no debconf information

Message #16 received at 261142-close@bugs.debian.org (full text, mbox, reply):

From: Matthias Klose <doko@debian.org>

To: 261142-close@bugs.debian.org

Subject: Bug#261142: fixed in bash 3.0-1

Date: Wed, 28 Jul 2004 03:02:06 -0400

Source: bash
Source-Version: 3.0-1

We believe that the bug you reported is fixed in the latest version of
bash, which is due to be installed in the Debian FTP archive:

bash-builtins_3.0-1_i386.deb
  to pool/main/b/bash/bash-builtins_3.0-1_i386.deb
bash-doc_3.0-1_all.deb
  to pool/main/b/bash/bash-doc_3.0-1_all.deb
bash-minimal_3.0-1_i386.deb
  to pool/main/b/bash/bash-minimal_3.0-1_i386.deb
bash-static_3.0-1_i386.deb
  to pool/main/b/bash/bash-static_3.0-1_i386.deb
bash_3.0-1.diff.gz
  to pool/main/b/bash/bash_3.0-1.diff.gz
bash_3.0-1.dsc
  to pool/main/b/bash/bash_3.0-1.dsc
bash_3.0-1_i386.deb
  to pool/main/b/bash/bash_3.0-1_i386.deb
bash_3.0.orig.tar.gz
  to pool/main/b/bash/bash_3.0.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 261142@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated bash package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 27 Jul 2004 21:23:42 +0200
Source: bash
Binary: bashdb bash-builtins bash bash-minimal bash-static bash-doc
Architecture: source i386 all
Version: 3.0-1
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Description: 
 bash       - The GNU Bourne Again SHell
 bash-builtins - Bash loadable builtins - headers & examples
 bash-doc   - Documentation and examples for the The GNU Bourne Again SHell
 bash-minimal - The GNU Bourne Again SHell (minimal version)
 bash-static - The GNU Bourne Again SHell (static version)
Closes: 110969 152847 155134 155369 157954 160932 162773 162952 164134 165212 165533 167002 167003 168267 168318 168321 168331 170298 172971 173148 173588 173744 173854 174133 174744 176968 178828 180290 183352 186218 189006 193570 195116 197965 211426 211693 219958 224303 232653 249219 249657 251801 261142
Changes: 
 bash (3.0-1) unstable; urgency=medium
 .
   * New upstream release.
   * Bugs fixed in this release (and the alpha/beta releases and release
     candidates):
     - Fixed a bug that caused the prompt to overwrite previous output when the
       output doesn't contain a newline and the locale supports multibyte
       characters.  This same change fixes the problem of readline redisplay
       slowing down dramatically as the line gets longer in multibyte locales.
       Closed: #179883.
     - The shell no longer seg faults if the expanded value of $PS4 is null
       and `set -x' is enabled. Closes: #165533.
     - Don't define a default DEFAULT_MAIL_DIRECTORY, because it can cause
       a timeout on NFS mounts. Closes: #211426.
     - Fixed a bad interaction between alias and completion. Closes: #186218.
     - Fix initialization of local variables with "$@". Closes: #180290.
     - Fixed segfault in "read -a foo <<< $(echo)". Closes: #167003.
     - Fixed the history word tokenizer to handle <( and >( better when used as
       part of bash. Closes: #165212.
     - Fixed EINTR signal killing redirection. Closes: #164134.
     - Fixed infinite loop with IFS="<non-ws-char>" and compgen -W.
       Closes: #162952.
     - Fixed the internal logout code so that shells that time out waiting for
       input (using $TMOUT) run ~/.bash_logout. Closes: #152847.
     - Speedups to the multibyte character redisplay code. Closes: #197965.
     - Better error message on wrong kill arguments. Closes: #193570.
     - Overwriting of prompt. Closes: #176968.
     - The shell now reports on processes that dump core due to signals when
       invoked as `-c command'. Closes: #211693.
     - Fixed ferror beeing called w/o always first calling clearerr
       results in spurious errors reported. Closes: #195116.
     - Add missing trailing slash on directory completion. Closes: #178828.
     - Fix different behaviour for builtin and external commands together
       with arithmetic expansion. Closes: #173744.
     - Fixed a bug that caused redirections accompanying a null command
       to persist in the current shell. Closes: #173148.
     - Fixed a bug that caused a leading `-' in the shell's name to cause it to
       not be recognized as a restricted shell. Closes: #170298.
     - Fix segfault in ill formed paramter expansion. Closes: #162773.
     - Fixed a bug in brace expansion that caused a quoted `$' preceding an
       open brace to inhibit brace expansion. Closes: #157954.
     - Removed the attempts to avoid adding a slash at the end of a completed
       executable name if there was a directory with the same name in the
       current directory. Closes: #155134, #189006.
     - Fix error message for circular alias expansions. Closes: #173588.
     - Fixed a bug that caused some key bindings set in an inputrc to be ignored
       at shell startup. Closes: #110969.
     - Fix segfault on bad array subscripts. Closes: #232653.
     - Fix "set completion-ignore-case on" breaking some tab completion.
       Closes: #224303.
     - Flag an error when a user uses "% DIGITS" instead of "%DIGITS", and
       don't give him a different job instead. Closes: #173854.
     - For 'cd filename' say 'not a directory', not 'no such file or directory'
       when filename exists and is not a directory. Closes: #219958.
     - Expansion results are the same for ${1:+"$@"} and "$@" if IFS is not
       the default.
     - The locale code does a better job of recomputing the various locale
       variable values when LC_ALL is unset. Closes: #160932.
     - Fix substitution error triggering an assertion. Closes: #251801.
   * Documentation updated in this release (and the alpha/beta releases):
     - Fix documentation about exit status of unset builtin. Closes: #183352.
     - Clarify documentation for arguments of wait builtin. Closes: #174133.
     - Document ${!prefix@} expansion. Closes: #168318.
     - Fix documentation of GLOBIGNORE behaviour. Closes: #168267.
     - Document the use of $EMACS. Closes: #174744.
     - Improve documentation of the value of arithmetic expressions.
       Closes: #168321.
     - Make docs more explicit about variable indirection in shell parameter
       expansion. Closes: #167002.
     - Documentation for values of various assignments updated. Closes: #168331.
     - In section "Shell Functions", add documentation for syntax,
       which bash accepts. Closes: #172971.
     - Fix documentation of the PATH variable. Closes: #155369.
     - Document SHELL variable in section "Shell Variables". Closes: #249657.
     - Remove reference to missing section in rbash(1). Closes: #249219.
   * Fix another segfault in completion code. Closes: #261142.
Files: 
 2f2eba9e0b8e9b93f2d60419da28e922 723 base required bash_3.0-1.dsc
 9a8f12c04b986153067feb5c2a45358d 2417294 base required bash_3.0.orig.tar.gz
 de8972cefe7afd0dfce15d2702435329 150894 base required bash_3.0-1.diff.gz
 6592d9428a6911897a9eb748dbaf9e5d 712420 doc optional bash-doc_3.0-1_all.deb
 3886b7508abe7d1a1b97a3a3b0bd8557 779374 base required bash_3.0-1_i386.deb
 74157912f4bfb86341dcbd81c82d6a5c 97090 utils optional bash-builtins_3.0-1_i386.deb
 2f367281aed47de16afcd1ab34af54bb 623220 shells optional bash-static_3.0-1_i386.deb
 c5b56cb97a9f5ee5b8cf90bfdb532676 179612 shells optional bash-minimal_3.0-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBBzmZStlRaw+TLJwRAoehAKCSFfwKUJ0OMlPjDiHwzAZI/6AuXgCggRwK
b9btgR27PSl4q9bsa/ch+00=
=PEVC
-----END PGP SIGNATURE-----

Message #21 received at 261142@bugs.debian.org (full text, mbox, reply):

From: Samuel Thibault <samuel.thibault@ens-lyon.org>

To: 261142@bugs.debian.org

Subject: Re: Bug#261142 acknowledged by developer (Bug#261142: fixed in bash 3.0-1)

Date: Mon, 2 Aug 2004 16:30:22 +0200

[Message part 1 (text/plain, inline)]

Hi,

Really sorry for the mis-completion (bugs #261955, #262338, #262602),
here is a corrected patch: it both splits hint_text and val right at
the beginning of the filename, and takes the path from hint_text and
the filename from val. *That*, at last, should be Ok.

Regards,
Samuel

[patch (text/plain, attachment)]

Message #28 received at 261142-close@bugs.debian.org (full text, mbox, reply):

From: Matthias Klose <doko@debian.org>

To: 261142-close@bugs.debian.org

Subject: Bug#261142: fixed in bash 3.0-6

Date: Sat, 04 Sep 2004 05:47:05 -0400

Source: bash
Source-Version: 3.0-6

We believe that the bug you reported is fixed in the latest version of
bash, which is due to be installed in the Debian FTP archive:

bash-builtins_3.0-6_i386.deb
  to pool/main/b/bash/bash-builtins_3.0-6_i386.deb
bash-doc_3.0-6_all.deb
  to pool/main/b/bash/bash-doc_3.0-6_all.deb
bash-minimal_3.0-6_i386.deb
  to pool/main/b/bash/bash-minimal_3.0-6_i386.deb
bash-static_3.0-6_i386.deb
  to pool/main/b/bash/bash-static_3.0-6_i386.deb
bash_3.0-6.diff.gz
  to pool/main/b/bash/bash_3.0-6.diff.gz
bash_3.0-6.dsc
  to pool/main/b/bash/bash_3.0-6.dsc
bash_3.0-6_i386.deb
  to pool/main/b/bash/bash_3.0-6_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 261142@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated bash package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat,  4 Sep 2004 10:21:23 +0200
Source: bash
Binary: bashdb bash-builtins bash bash-minimal bash-static bash-doc
Architecture: source i386 all
Version: 3.0-6
Distribution: unstable
Urgency: low
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Description: 
 bash       - The GNU Bourne Again SHell
 bash-builtins - Bash loadable builtins - headers & examples
 bash-doc   - Documentation and examples for the The GNU Bourne Again SHell
 bash-minimal - The GNU Bourne Again SHell (minimal version)
 bash-static - The GNU Bourne Again SHell (static version)
Closes: 7047 10494 141292 161057 187983 192831 203767 224916 243015 253766 257540 261142 262105 265259 265982 268922
Changes: 
 bash (3.0-6) unstable; urgency=low
 .
   * Fixed in bash-3.0:
     - New option pipefail. If set, the return value of a pipeline is the
       value of the last (rightmost) command to exit with a non-zero status,
       or zero if all commands in the pipeline exit successfully.  This option
       is disabled by default. The two oldest outstanding bash reports are
       gone (closes: #7047, #10494).
     - "$( substitution strangeness (closes: #187983).
     - timestamp support in history (closes: #161057).
   * Various updates from the net:
     - Fix a bug in array expansion.
     - Fix a bug in brace expansion.
     - Handle multibyte characters in IFS values.
     - Fix a bug, when pipefail option is set.
     - History saved-line handling (closes: #253766, #268922).
     - Fix parameter expansion with UTF-8 and ${#var} or ${var: -1}.
   * Apply patch to fix non POSIX function name and avoid use of global
     variables (Stephen Gildea). Closes: #262105.
   * Add command_not_found_handle in non POSIX interactive shells.
     Closes: #243015.
   * Check for /usr/sbin/remove-shell before using it (closes: #265982).
   * bash-builtins: Install missing header files (closes: #265259).
   * Clarify documentation about substring expansion (closes: #192831, #203767).
   * Fix completion on ~/../``/<tab> (closes: #261142).
   * Clarify documentation about case-insensitive pathname expansion.
     Closes: #141292.
   * Apply patch to fix the display of UTF-8 characters.
     Closes: #224916, #257540.
Files: 
 8c00f265c7a5ddeda7f2ea0489f9e433 723 base required bash_3.0-6.dsc
 072502889a21e9d6d9067f8cf4ffc45e 165836 base required bash_3.0-6.diff.gz
 d59c67c2503e505c746ab7cf14022422 714274 doc optional bash-doc_3.0-6_all.deb
 74b051f137b7d3f8288258ce4437c9d0 782020 base required bash_3.0-6_i386.deb
 18943c6dbf48f974376cd42c303353ba 97864 utils optional bash-builtins_3.0-6_i386.deb
 40a482fa65d8103135f6e6091ae32bc3 625378 shells optional bash-static_3.0-6_i386.deb
 d524037e925afd8b2c4032654723d276 181000 shells optional bash-minimal_3.0-6_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBOYl+StlRaw+TLJwRAhrQAJ9x1pVM5jKATOpje7I+6SlqonZVtgCePK5p
2PZ/sP7ecEOTD4wGdrrfBck=
=CZX8
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.