BASH PATCH REPORT
			     =================

Bash-Release:	5.3
Patch-ID:	bash53-011

Bug-Reported-by:	Philippe Grégoire <git@pgregoire.xyz>
Bug-Reference-ID:
Bug-Reference-URL:

Bug-Description:

If a `mapfile' callback unsets the array variable `mapfile' is using to save
the lines it reads, `mapfile' can try to reference freed memory, which can
cause corruption or shell crashes.

Patch (apply with `patch -p0'):

*** ../bash-5.3-patched/builtins/mapfile.def	Mon May  6 11:58:48 2024
--- builtins/mapfile.def	Mon May 25 16:23:50 2026
***************
*** 154,160 ****
    unbuffered_read = 0;
  
!   /* The following check should be done before reading any lines.  Doing it
!      here allows us to call bind_array_element instead of bind_array_variable
!      and skip the variable lookup on every call. */
    entry = builtin_find_indexed_array (array_name, flags & MAPF_CLEARARRAY);
    if (entry == 0)
--- 154,158 ----
    unbuffered_read = 0;
  
!   /* The following check should be done before reading any lines. */
    entry = builtin_find_indexed_array (array_name, flags & MAPF_CLEARARRAY);
    if (entry == 0)
***************
*** 202,207 ****
  	}
  
!       /* XXX - bad things can happen if the callback modifies ENTRY, e.g.,
! 	 unsetting it or changing it to a non-indexed-array type. */
        bind_array_element (entry, array_index, line, 0);
  
--- 200,210 ----
  	}
  
!       /* Bad things can happen if the callback modifies ENTRY, e.g.,
! 	 unsetting it or changing it to a non-indexed-array type, so we
! 	 look it up again every time we need to assign something */
!       entry = bind_array_variable (array_name, array_index, line, 0);
!       if (entry == 0 || ASSIGN_DISALLOWED (entry, 0))
! 	return EXECUTION_FAILURE;
! 
        bind_array_element (entry, array_index, line, 0);
  
*** ../bash-5.3/patchlevel.h	2020-06-22 14:51:03.000000000 -0400
--- patchlevel.h	2020-10-01 11:01:28.000000000 -0400
***************
*** 26,30 ****
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 10
  
  #endif /* _PATCHLEVEL_H_ */
--- 26,30 ----
     looks for to find the patch level (for the sccs version string). */
  
! #define PATCHLEVEL 11
  
  #endif /* _PATCHLEVEL_H_ */