fix two bugs with shells started to run executable scripts inheriting shell state; fix potential buffer overflow in brace expansion; fix crash caused by nofork command substitution not saving enough state

CWRU/CWRU.chlog

@@ -8334,3 +8334,40 @@ doc/bash.1
 test.c
 	- binary_test: make sure all calls in posix mode use TEST_LOCALE for
 	  locale-specific string comparisons
+
+shell.c
+	- find_bashrc_file: remove
+
+				   1/20
+				   ----
+shell.c
+	- exit_shell: don't try to call rl_deprep_terminal, regardless of the
+	  readline state we inherited, if bash_readline_initialized is 0
+	  Fixes bug reported by Oguz <oguzismailuysal@gmail.com>
+	- shell_reinitialize: reset startup_state and reading_shell_script to 0;
+	  reset debugging_mode to 0
+
+				   1/22
+				   ----
+builtins/shopt.def
+	- reset_shopt_options: reset debugging_mode to 0
+
+builtins/set.def
+	- reset_shell_options: reset interactive_comments to 1
+
+braces.c
+	- brace_expand: if the first call to brace_gobbler consumes the entire
+	  string, don't try to call it again
+	- brace_expand: check that i < tlen before checking to see if
+	  expand_seqterm left more of the string unconsumed
+	- brace_gobbler: if extract_command_subst hits the end of the string
+	  without closing the command substitution, make sure we return 0 as
+	  well as set *i = tlen
+	  From a fuzzing report by Nathan Mills <the.true.nathan.mills@gmail.com>
+
+				   1/23
+				   ----
+subst.c
+	- function_substitute: unwind-protect current_builtin and this_shell_builtin
+	  like we do this_shell_function
+	  From a fuzzing report by Nathan Mills <the.true.nathan.mills@gmail.com>

braces.c

@@ -115,6 +115,8 @@ brace_expand (char *text)
   do
     {
       c = brace_gobbler (text, tlen, &i, '{');	/* } */
+      if (i >= tlen)
+	break;
       c1 = c;
       /* Verify that c begins a valid brace expansion word.  If it doesn't, we
 	 go on.  Loop stops when there are no more open braces in the word. */
@@ -225,7 +227,7 @@ brace_expand (char *text)
       tack = expand_seqterm (amble, alen);
       if (tack)
 	goto add_tack;
-      else if (text[i + 1])
+      else if (i < tlen && text[i + 1])
 	{
 	  /* If the sequence expansion fails (e.g., because the integers
 	     overflow), but there is more in the string, try and process
@@ -635,6 +637,7 @@ brace_gobbler (char *text, size_t tlen, int *indx, int satisfy)
 	  if (i > tlen)
 	    {
 	      i = tlen;
+	      c = 0;
 	      break;
 	    }
 #else
@@ -691,6 +694,7 @@ comsub:
 	  if (i > tlen)
 	    {
 	      i = tlen;
+	      c = 0;
 	      break;
 	    }
 	  continue;

builtins/set.def

@@ -643,6 +643,8 @@ reset_shell_options (void)
   pipefail_opt = 0;
   ignoreeof = 0;
 
+  interactive_comments = 1;
+
 #if defined (STRICT_POSIX)
   posixly_correct = 1;
 #else

builtins/shopt.def

@@ -430,6 +430,10 @@ reset_shopt_options (void)
   xpg_echo = 0;
 #endif /* DEFAULT_ECHO_TO_XPG */
 
+#if defined (DEBUGGER)
+  debugging_mode = 0;
+#endif
+
   shopt_login_shell = login_shell;
 }
 

configure.ac

@@ -5,7 +5,7 @@ dnl report bugs to chet@po.cwru.edu
 dnl
 dnl Process this file with autoconf to produce a configure script.
 
-# Copyright (C) 1987-2024 Free Software Foundation, Inc.
+# Copyright (C) 1987-2023 Free Software Foundation, Inc.
 
 #
 #   This program is free software: you can redistribute it and/or modify
@@ -21,7 +21,7 @@ dnl Process this file with autoconf to produce a configure script.
 #   You should have received a copy of the GNU General Public License
 #   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-AC_REVISION([for Bash 5.3, version 5.060])dnl
+AC_REVISION([for Bash 5.3, version 5.059])dnl
 
 define(bashvers, 5.3)
 define(relstatus, devel)
@@ -1030,12 +1030,9 @@ fi
 
 dnl behavior of system calls and library functions
 BASH_FUNC_DUP2_CLOEXEC_CHECK
+BASH_SYS_PGRP_SYNC
 BASH_SYS_SIGNAL_VINTAGE
 
-dnl https://lists.gnu.org/archive/html/bug-bash/2024-01/msg00047.html
-dnl BASH_SYS_PGRP_SYNC
-AC_DEFINE(PGRP_PIPE)
-
 dnl checking for the presence of certain library symbols
 BASH_SYS_ERRLIST
 BASH_SYS_SIGLIST

lib/readline/doc/history.3

@@ -6,9 +6,9 @@
 .\"	Case Western Reserve University
 .\"	chet.ramey@case.edu
 .\"
-.\"	Last Change: Thu Jan 18 11:05:09 EST 2024
+.\"	Last Change: Fri Jan 19 11:53:57 EST 2024
 .\"
-.TH HISTORY 3 "2023 January 18" "GNU History 8.3"
+.TH HISTORY 3 "2024 January 19" "GNU History 8.3"
 .\"
 .\" File Name macro.  This used to be `.PN', for Path Name,
 .\" but Sun doesn't seem to like that very much.
@@ -645,8 +645,23 @@ string, in addition to space, tab, \fI:\fP and \fI?\fP in the case of
 a substring search.  The default is empty.
 
 .Vb int history_quotes_inhibit_expansion
-If non-zero, double-quoted words are not scanned for the history expansion
-character or the history comment character.  The default value is 0.
+If non-zero, the history expansion code implements shell-like quoting:
+single-quoted words are not scanned for the history expansion
+character or the history comment character, and double-quoted words may
+have history expansion performed, since single quotes are not special
+within double quotes.
+The default value is 0.
+
+.Vb int history_quoting_state
+An application may set this variable to indicate that the current line
+being expanded is subject to existing quoting. If set to \fI\(aq\fP, the
+history expansion function will assume that the line is single-quoted and
+inhibit expansion until it reads an unquoted closing single quote; if set
+to \fI\(dq\fP, history expansion will assume the line is double quoted until
+it reads an unquoted closing double quote. If set to zero, the default,
+the history expansion function will assume the line is not quoted and
+treat quote characters within the line as described above.
+This is only effective if \fBhistory_quotes_inhibit_expansion\fP is set.
 
 .Vb "rl_linebuf_func_t *" history_inhibit_expansion_function
 This should be set to the address of a function that takes two arguments:

shell.c

@@ -984,8 +984,11 @@ exit_shell (int s)
 
   /* Clean up the terminal if we are in a state where it's been modified. */
 #if defined (READLINE)
-  if (RL_ISSTATE (RL_STATE_TERMPREPPED) && rl_deprep_term_function)
+  if (bash_readline_initialized && RL_ISSTATE (RL_STATE_TERMPREPPED) && rl_deprep_term_function)
+{
+itrace("exit_shell: calling rl_deprep_term_function");
     (*rl_deprep_term_function) ();
+}
 #endif
   if (read_tty_modified ())
     read_tty_cleanup ();
@@ -1121,15 +1124,6 @@ execute_profile_file (void)
     maybe_execute_file ("~/.profile", 1);
 }
 
-/* Return the name of the default interactive shell startup file. We just
-   return the name of the historical bash startup file, but we could look
-   at a BASHRC variable or some more elaborate scheme. */
-static inline char *
-find_bashrc_file (void)
-{
-  return DEFAULT_BASHRC;
-}
-
 static void
 execute_bashrc_file (void)
 {
@@ -1144,12 +1138,7 @@ execute_bashrc_file (void)
   if (bashrc_file)
     maybe_execute_file (bashrc_file, 1);
   else
-    {
-      char *fn;
-
-      if (fn = find_bashrc_file ())
-	maybe_execute_file (fn, 1);	/* don't have to free this yet */
-    }
+    maybe_execute_file (DEFAULT_BASHRC, 1);
 }
 
 static void
@@ -2004,13 +1993,25 @@ shell_reinitialize (void)
   no_rc = no_profile = 1;
 
   /* Things that get 0. */
-  login_shell = make_login_shell = interactive = executing = 0;
-  debugging = do_version = line_number = last_command_exit_value = 0;
-  forced_interactive = interactive_shell = 0;
+  login_shell = make_login_shell = executing = 0;
+  debugging = debugging_mode = 0;
+  do_version = line_number = last_command_exit_value = 0;
+  forced_interactive = interactive_shell = interactive = 0;
   subshell_environment = running_in_background = 0;
   expand_aliases = expaliases_flag = 0;
   bash_argv_initialized = 0;
 
+  /* 20240120 */
+  startup_state = reading_shell_script = 0;
+  /* XXX - inherit posixly_correct? */
+
+  /* The shell has never done this. Should it? */
+#if 0
+  reset_shell_flags ();
+  reset_shell_options ();
+  reset_shopt_options ();
+#endif
+
   /* XXX - should we set jobs_m_flag to 0 here? */
 
 #if defined (HISTORY)

subst.c

@@ -49,6 +49,7 @@
 #include "flags.h"
 #include "jobs.h"
 #include "execute_cmd.h"
+#include "builtins.h"
 #include "filecntl.h"
 #include "trap.h"
 #include "pathexp.h"
@@ -6914,6 +6915,8 @@ function_substitute (char *string, int quoted, int flags)
   unwind_protect_pointer (subst_assign_varlist);
   unwind_protect_pointer (temporary_env);
   unwind_protect_pointer (this_shell_function);
+  unwind_protect_pointer (this_shell_builtin);
+  unwind_protect_pointer (current_builtin);
   unwind_protect_int (eof_encountered);
   add_unwind_protect (uw_pop_var_context, 0);
   add_unwind_protect (uw_maybe_restore_getopt_state, gs);