BASH PATCH REPORT ================= Bash-Release: 4.2 Patch-ID: bash42-043 Bug-Reported-by: konsolebox <konsolebox@gmail.com> Bug-Reference-ID: <CAJnmqwZuGKLgMsMwxRK4LL+2NN+HgvmKzrnode99QBGrcgX1Lw@mail.gmail.com> Bug-Reference-URL: http://lists.gnu.org/archive/html/bug-bash/2013-01/msg00138.html Bug-Description: When SIGCHLD is trapped, and a SIGCHLD trap handler runs when a pending `read -t' invocation times out and generates SIGALRM, bash can crash with a segmentation fault. Patch (apply with `patch -p0'): *** ../bash-4.2-patched/builtins/read.def 2012-10-31 21:22:51.000517000 -0400 --- builtins/read.def 2013-01-25 10:28:16.000038000 -0500 *************** *** 386,393 **** /* Tricky. The top of the unwind-protect stack is the free of input_string. We want to run all the rest and use input_string, ! so we have to remove it from the stack. */ ! remove_unwind_protect (); ! run_unwind_frame ("read_builtin"); input_string[i] = '\0'; /* make sure it's terminated */ retval = 128+SIGALRM; goto assign_vars; --- 386,403 ---- /* Tricky. The top of the unwind-protect stack is the free of input_string. We want to run all the rest and use input_string, ! so we have to save input_string temporarily, run the unwind- ! protects, then restore input_string so we can use it later. */ ! input_string[i] = '\0'; /* make sure it's terminated */ + if (i == 0) + { + t = (char *)xmalloc (1); + t[0] = 0; + } + else + t = savestring (input_string); + + run_unwind_frame ("read_builtin"); + input_string = t; retval = 128+SIGALRM; goto assign_vars; *** ../bash-4.2-patched/patchlevel.h Sat Jun 12 20:14:48 2010 --- patchlevel.h Thu Feb 24 21:41:34 2011 *************** *** 26,30 **** looks for to find the patch level (for the sccs version string). */ ! #define PATCHLEVEL 42 #endif /* _PATCHLEVEL_H_ */ --- 26,30 ---- looks for to find the patch level (for the sccs version string). */ ! #define PATCHLEVEL 43 #endif /* _PATCHLEVEL_H_ */