From: oss-sec

Fixes CVE-2014-7186 and CVE-2014-7187

--- bash-3.2-orig/parse.y	2014-09-25 18:00:08.742924560 +0200
+++ bash-3.2/parse.y	2014-09-25 17:59:33.488769406 +0200
@@ -253,9 +253,21 @@
 
 /* Variables to manage the task of reading here documents, because we need to
    defer the reading until after a complete command has been collected. */
-static REDIRECT *redir_stack[10];
+static REDIRECT **redir_stack;
 int need_here_doc;
 
+/* Pushes REDIR onto redir_stack, resizing it as needed. */
+static void
+push_redir_stack (REDIRECT *redir)
+{
+  /* Guard against oveflow. */
+  if (need_here_doc + 1 > INT_MAX / sizeof (*redir_stack))
+    abort ();
+  redir_stack = xrealloc (redir_stack,
+			  (need_here_doc + 1) * sizeof (*redir_stack));
+  redir_stack[need_here_doc++] = redir;
+}
+
 /* Where shell input comes from.  History expansion is performed on each
    line when the shell is interactive. */
 static char *shell_input_line = (char *)NULL;
@@ -424,13 +436,13 @@
 			{
 			  redir.filename = $2;
 			  $$ = make_redirection (0, r_reading_until, redir);
-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
 			}
 	|	NUMBER LESS_LESS WORD
 			{
 			  redir.filename = $3;
 			  $$ = make_redirection ($1, r_reading_until, redir);
-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
 			}
 	|	LESS_LESS_LESS WORD
 			{
@@ -487,14 +499,14 @@
 			  redir.filename = $2;
 			  $$ = make_redirection
 			    (0, r_deblank_reading_until, redir);
-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
 			}
 	|	NUMBER LESS_LESS_MINUS WORD
 			{
 			  redir.filename = $3;
 			  $$ = make_redirection
 			    ($1, r_deblank_reading_until, redir);
-			  redir_stack[need_here_doc++] = $$;
+			  push_redir_stack ($$);
 			}
 	|	GREATER_AND '-'
 			{
@@ -3767,7 +3779,7 @@
     case CASE:
     case SELECT:
     case FOR:
-      if (word_top < MAX_CASE_NEST)
+      if (word_top + 1 < MAX_CASE_NEST)
 	word_top++;
       word_lineno[word_top] = line_number;
       break;

