1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
BASH PATCH REPORT
=================
Bash-Release: 5.3
Patch-ID: bash53-009
Bug-Reported-by: penguin p <tgckpg@gmail.com>
Bug-Reference-ID: <TYYPR01MB14049C63D4635628EE867664BFA37A@TYYPR01MB14049.jpnprd01.prod.outlook.com>
Bug-Reference-URL: https://lists.gnu.org/archive/html/bug-bash/2025-08/msg00080.html
Bug-Description:
A SIGINT during a reverse i-search can cause a segmentation fault due to
accessing data freed by a signal handler.
--- a/lib/readline/input.c
+++ b/lib/readline/input.c
@@ -971,11 +971,11 @@ postproc_signal:
call the application's signal event hook. */
if (rl_signal_event_hook)
(*rl_signal_event_hook) ();
-#if defined (READLINE_CALLBACKS)
- else if (osig == SIGINT && (ostate & RL_STATE_CALLBACK) && (ostate & (RL_STATE_ISEARCH|RL_STATE_NSEARCH|RL_STATE_NUMERICARG)))
+ /* If the application's SIGINT handler returns, make sure we abort out of
+ searches and numeric arguments because we've freed necessary state. */
+ if (osig == SIGINT && (ostate & (RL_STATE_ISEARCH|RL_STATE_NSEARCH|RL_STATE_NUMERICARG)))
/* just these cases for now */
_rl_abort_internal ();
-#endif
}
}
--- a/lib/readline/isearch.c
+++ b/lib/readline/isearch.c
@@ -889,12 +889,14 @@ opcode_dispatch:
int
_rl_isearch_cleanup (_rl_search_cxt *cxt, int r)
{
+ RL_UNSETSTATE(RL_STATE_ISEARCH);
+ if (cxt == 0)
+ return (r != 0);
+
+ _rl_iscxt = 0;
if (r >= 0)
_rl_isearch_fini (cxt);
_rl_scxt_dispose (cxt, 0);
- _rl_iscxt = 0;
-
- RL_UNSETSTATE(RL_STATE_ISEARCH);
return (r != 0);
}
--- a/patchlevel.h
+++ b/patchlevel.h
@@ -25,6 +25,6 @@
regexp `^#define[ ]*PATCHLEVEL', since that's what support/mkversion.sh
looks for to find the patch level (for the sccs version string). */
-#define PATCHLEVEL 8
+#define PATCHLEVEL 9
#endif /* _PATCHLEVEL_H_ */
|
