bash: Fix for CVE-2014-7186 and CVE-2014-7187

Upstream-Status: Backport {GNU Patch-ID: bash32-055}

Downloaded from: http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-055 

Author: Chet Ramey <chet.ramey@case.edu>
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>

			     BASH PATCH REPORT
			     =================

Bash-Release: 3.2
Patch-ID: bash32-055

Bug-Reported-by:	Florian Weimer <fweimer@redhat.com>
Bug-Reference-ID:
Bug-Reference-URL:

Bug-Description:

There are two local buffer overflows in parse.y that can cause the shell
to dump core when given many here-documents attached to a single command
or many nested loops.
---
--- a/parse.y	2014-09-27 12:17:16.000000000 -0400
+++ b/parse.y	2014-09-30 19:43:22.000000000 -0400
@@ -166,4 +166,7 @@
 static int reserved_word_acceptable __P((int));
 static int yylex __P((void));
+
+static void push_heredoc __P((REDIRECT *));
+static char *mk_alexpansion __P((char *));
 static int alias_expand_token __P((char *));
 static int time_command_acceptable __P((void));
@@ -254,5 +257,7 @@
 /* Variables to manage the task of reading here documents, because we need to
    defer the reading until after a complete command has been collected. */
-static REDIRECT *redir_stack[10];
+#define HEREDOC_MAX 16
+
+static REDIRECT *redir_stack[HEREDOC_MAX];
 int need_here_doc;
 
@@ -280,5 +285,5 @@
    index is decremented after a case, select, or for command is parsed. */
 #define MAX_CASE_NEST	128
-static int word_lineno[MAX_CASE_NEST];
+static int word_lineno[MAX_CASE_NEST+1];
 static int word_top = -1;
 
@@ -425,5 +430,5 @@
 			  redir.filename = $2;
 			  $$ = make_redirection (0, r_reading_until, redir);
-			  redir_stack[need_here_doc++] = $$;
+			  push_heredoc ($$);
 			}
 	|	NUMBER LESS_LESS WORD
@@ -431,5 +436,5 @@
 			  redir.filename = $3;
 			  $$ = make_redirection ($1, r_reading_until, redir);
-			  redir_stack[need_here_doc++] = $$;
+			  push_heredoc ($$);
 			}
 	|	LESS_LESS_LESS WORD
@@ -488,5 +493,5 @@
 			  $$ = make_redirection
 			    (0, r_deblank_reading_until, redir);
-			  redir_stack[need_here_doc++] = $$;
+			  push_heredoc ($$);
 			}
 	|	NUMBER LESS_LESS_MINUS WORD
@@ -495,5 +500,5 @@
 			  $$ = make_redirection
 			    ($1, r_deblank_reading_until, redir);
-			  redir_stack[need_here_doc++] = $$;
+			  push_heredoc ($$);
 			}
 	|	GREATER_AND '-'
@@ -2214,4 +2219,19 @@
 static int esacs_needed_count;
 
+static void
+push_heredoc (r)
+     REDIRECT *r;
+{
+  if (need_here_doc >= HEREDOC_MAX)
+    {
+      last_command_exit_value = EX_BADUSAGE;
+      need_here_doc = 0;
+      report_syntax_error (_("maximum here-document count exceeded"));
+      reset_parser ();
+      exit_shell (last_command_exit_value);
+    }
+  redir_stack[need_here_doc++] = r;
+}
+
 void
 gather_here_documents ()