buildroot/package/bash/bash-001-patchlevel1-27.patch

Update bash to patchlevel 27.
It's basically a single patch made out from
http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/ (bash43-001 to 027).
Fixes CVE-2014-6271 (level 25):
Under certain circumstances, bash will execute user code while processing the
environment for exported function definitions.
Level 26-27 are refinements/improved fixes on CVE-2014-6271.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>

diff -Nura bash-4.3/arrayfunc.c bash-4.3.pl27/arrayfunc.c
--- bash-4.3/arrayfunc.c	2013-08-02 17:19:59.000000000 -0300
+++ bash-4.3.pl27/arrayfunc.c	2014-09-28 08:13:40.311842889 -0300
@@ -179,6 +179,7 @@
     array_insert (array_cell (entry), ind, newval);
   FREE (newval);
 
+  VUNSETATTR (entry, att_invisible);	/* no longer invisible */
   return (entry);
 }
 
@@ -597,6 +598,11 @@
       if (assoc_p (var))
 	{
 	  val = expand_assignment_string_to_string (val, 0);
+	  if (val == 0)
+	    {
+	      val = (char *)xmalloc (1);
+	      val[0] = '\0';	/* like do_assignment_internal */
+	    }
 	  free_val = 1;
 	}
 
diff -Nura bash-4.3/bashline.c bash-4.3.pl27/bashline.c
--- bash-4.3/bashline.c	2014-02-09 21:56:58.000000000 -0300
+++ bash-4.3.pl27/bashline.c	2014-09-28 08:13:40.312842925 -0300
@@ -4167,9 +4167,16 @@
   int qc;
 
   qc = rl_dispatching ? rl_completion_quote_character : 0;  
-  dfn = bash_dequote_filename ((char *)text, qc);
+  /* If rl_completion_found_quote != 0, rl_completion_matches will call the
+     filename dequoting function, causing the directory name to be dequoted
+     twice. */
+  if (rl_dispatching && rl_completion_found_quote == 0)
+    dfn = bash_dequote_filename ((char *)text, qc);
+  else
+    dfn = (char *)text;
   m1 = rl_completion_matches (dfn, rl_filename_completion_function);
-  free (dfn);
+  if (dfn != text)
+    free (dfn);
 
   if (m1 == 0 || m1[0] == 0)
     return m1;
diff -Nura bash-4.3/builtins/common.h bash-4.3.pl27/builtins/common.h
--- bash-4.3/builtins/common.h	2013-07-08 17:54:47.000000000 -0300
+++ bash-4.3.pl27/builtins/common.h	2014-09-28 08:13:40.313842959 -0300
@@ -33,6 +33,8 @@
 #define SEVAL_RESETLINE	0x010
 #define SEVAL_PARSEONLY	0x020
 #define SEVAL_NOLONGJMP 0x040
+#define SEVAL_FUNCDEF	0x080		/* only allow function definitions */
+#define SEVAL_ONECMD	0x100		/* only allow a single command */
 
 /* Flags for describe_command, shared between type.def and command.def */
 #define CDESC_ALL		0x001	/* type -a */
diff -Nura bash-4.3/builtins/evalstring.c bash-4.3.pl27/builtins/evalstring.c
--- bash-4.3/builtins/evalstring.c	2014-02-11 11:42:10.000000000 -0300
+++ bash-4.3.pl27/builtins/evalstring.c	2014-09-28 08:13:40.313842959 -0300
@@ -308,6 +308,14 @@
 	    {
 	      struct fd_bitmap *bitmap;
 
+	      if ((flags & SEVAL_FUNCDEF) && command->type != cm_function_def)
+		{
+		  internal_warning ("%s: ignoring function definition attempt", from_file);
+		  should_jump_to_top_level = 0;
+		  last_result = last_command_exit_value = EX_BADUSAGE;
+		  break;
+		}
+
 	      bitmap = new_fd_bitmap (FD_BITMAP_SIZE);
 	      begin_unwind_frame ("pe_dispose");
 	      add_unwind_protect (dispose_fd_bitmap, bitmap);
@@ -368,6 +376,9 @@
 	      dispose_command (command);
 	      dispose_fd_bitmap (bitmap);
 	      discard_unwind_frame ("pe_dispose");
+
+	      if (flags & SEVAL_ONECMD)
+		break;
 	    }
 	}
       else
diff -Nura bash-4.3/builtins/read.def bash-4.3.pl27/builtins/read.def
--- bash-4.3/builtins/read.def	2013-09-02 12:54:00.000000000 -0300
+++ bash-4.3.pl27/builtins/read.def	2014-09-28 08:13:40.313842959 -0300
@@ -442,7 +442,10 @@
       add_unwind_protect (reset_alarm, (char *)NULL);
 #if defined (READLINE)
       if (edit)
-	add_unwind_protect (reset_attempted_completion_function, (char *)NULL);
+	{
+	  add_unwind_protect (reset_attempted_completion_function, (char *)NULL);
+	  add_unwind_protect (bashline_reset_event_hook, (char *)NULL);
+	}
 #endif
       falarm (tmsec, tmusec);
     }
@@ -1021,6 +1024,7 @@
 
   old_attempted_completion_function = rl_attempted_completion_function;
   rl_attempted_completion_function = (rl_completion_func_t *)NULL;
+  bashline_set_event_hook ();
   if (itext)
     {
       old_startup_hook = rl_startup_hook;
@@ -1032,6 +1036,7 @@
 
   rl_attempted_completion_function = old_attempted_completion_function;
   old_attempted_completion_function = (rl_completion_func_t *)NULL;
+  bashline_reset_event_hook ();
 
   if (ret == 0)
     return ret;
diff -Nura bash-4.3/execute_cmd.c bash-4.3.pl27/execute_cmd.c
--- bash-4.3/execute_cmd.c	2014-01-31 12:54:52.000000000 -0300
+++ bash-4.3.pl27/execute_cmd.c	2014-09-28 08:13:40.315843026 -0300
@@ -2409,7 +2409,16 @@
 #endif
       lstdin = wait_for (lastpid);
 #if defined (JOB_CONTROL)
-      exec_result = job_exit_status (lastpipe_jid);
+      /* If wait_for removes the job from the jobs table, use result of last
+	 command as pipeline's exit status as usual.  The jobs list can get
+	 frozen and unfrozen at inconvenient times if there are multiple pipelines
+	 running simultaneously. */
+      if (INVALID_JOB (lastpipe_jid) == 0)
+	exec_result = job_exit_status (lastpipe_jid);
+      else if (pipefail_opt)
+	exec_result = exec_result | lstdin;	/* XXX */
+      /* otherwise we use exec_result */
+        
 #endif
       unfreeze_jobs_list ();
     }
diff -Nura bash-4.3/externs.h bash-4.3.pl27/externs.h
--- bash-4.3/externs.h	2014-01-02 16:58:20.000000000 -0300
+++ bash-4.3.pl27/externs.h	2014-09-28 08:13:40.315843026 -0300
@@ -324,6 +324,7 @@
 extern char *sh_backslash_quote __P((char *, const char *, int));
 extern char *sh_backslash_quote_for_double_quotes __P((char *));
 extern int sh_contains_shell_metas __P((char *));
+extern int sh_contains_quotes __P((char *));
 
 /* declarations for functions defined in lib/sh/spell.c */
 extern int spname __P((char *, char *));
diff -Nura bash-4.3/jobs.c bash-4.3.pl27/jobs.c
--- bash-4.3/jobs.c	2014-01-10 11:05:34.000000000 -0300
+++ bash-4.3.pl27/jobs.c	2014-09-28 08:13:40.316843059 -0300
@@ -3597,6 +3597,7 @@
   unwind_protect_int (jobs_list_frozen);
   unwind_protect_pointer (the_pipeline);
   unwind_protect_pointer (subst_assign_varlist);
+  unwind_protect_pointer (this_shell_builtin);
 
   /* We have to add the commands this way because they will be run
      in reverse order of adding.  We don't want maybe_set_sigchld_trap ()
@@ -4374,7 +4375,7 @@
 void
 end_job_control ()
 {
-  if (interactive_shell)		/* XXX - should it be interactive? */
+  if (interactive_shell || job_control)		/* XXX - should it be just job_control? */
     {
       terminate_stopped_jobs ();
 
diff -Nura bash-4.3/lib/glob/glob.c bash-4.3.pl27/lib/glob/glob.c
--- bash-4.3/lib/glob/glob.c	2014-01-31 23:43:51.000000000 -0300
+++ bash-4.3.pl27/lib/glob/glob.c	2014-09-28 08:13:40.317843093 -0300
@@ -123,6 +123,8 @@
 extern char *glob_patscan __P((char *, char *, int));
 extern wchar_t *glob_patscan_wc __P((wchar_t *, wchar_t *, int));
 
+extern char *glob_dirscan __P((char *, int));
+
 /* Compile `glob_loop.c' for single-byte characters. */
 #define CHAR	unsigned char
 #define INT	int
@@ -179,42 +181,53 @@
      char *pat, *dname;
      int flags;
 {
-  char *pp, *pe, *t;
-  int n, r;
+  char *pp, *pe, *t, *se;
+  int n, r, negate;
 
+  negate = *pat == '!';
   pp = pat + 2;
-  pe = pp + strlen (pp) - 1;	/*(*/
-  if (*pe != ')')
+  se = pp + strlen (pp) - 1;		/* end of string */
+  pe = glob_patscan (pp, se, 0);	/* end of extglob pattern (( */
+  /* we should check for invalid extglob pattern here */
+  if (pe == 0)
     return 0;
-  if ((t = strchr (pp, '|')) == 0)	/* easy case first */
+
+  /* if pe != se we have more of the pattern at the end of the extglob
+     pattern. Check the easy case first ( */
+  if (pe == se && *pe == ')' && (t = strchr (pp, '|')) == 0)
     {
       *pe = '\0';
+#if defined (HANDLE_MULTIBYTE)
+      r = mbskipname (pp, dname, flags);
+#else
       r = skipname (pp, dname, flags);	/*(*/
+#endif
       *pe = ')';
       return r;
     }
+
+  /* check every subpattern */
   while (t = glob_patscan (pp, pe, '|'))
     {
       n = t[-1];
       t[-1] = '\0';
+#if defined (HANDLE_MULTIBYTE)
+      r = mbskipname (pp, dname, flags);
+#else
       r = skipname (pp, dname, flags);
+#endif
       t[-1] = n;
       if (r == 0)	/* if any pattern says not skip, we don't skip */
         return r;
       pp = t;
     }	/*(*/
 
-  if (pp == pe)		/* glob_patscan might find end of pattern */
+  /* glob_patscan might find end of pattern */
+  if (pp == se)
     return r;
 
-  *pe = '\0';
-#  if defined (HANDLE_MULTIBYTE)
-  r = mbskipname (pp, dname, flags);	/*(*/
-#  else
-  r = skipname (pp, dname, flags);	/*(*/
-#  endif
-  *pe = ')';
-  return r;
+  /* but if it doesn't then we didn't match a leading dot */
+  return 0;
 }
 #endif
 
@@ -277,20 +290,23 @@
      int flags;
 {
 #if EXTENDED_GLOB
-  wchar_t *pp, *pe, *t, n;
-  int r;
+  wchar_t *pp, *pe, *t, n, *se;
+  int r, negate;
 
+  negate = *pat == L'!';
   pp = pat + 2;
-  pe = pp + wcslen (pp) - 1;	/*(*/
-  if (*pe != L')')
-    return 0;
-  if ((t = wcschr (pp, L'|')) == 0)
+  se = pp + wcslen (pp) - 1;	/*(*/
+  pe = glob_patscan_wc (pp, se, 0);
+
+  if (pe == se && *pe == ')' && (t = wcschr (pp, L'|')) == 0)
     {
       *pe = L'\0';
       r = wchkname (pp, dname); /*(*/
       *pe = L')';
       return r;
     }
+
+  /* check every subpattern */
   while (t = glob_patscan_wc (pp, pe, '|'))
     {
       n = t[-1];
@@ -305,10 +321,8 @@
   if (pp == pe)		/* glob_patscan_wc might find end of pattern */
     return r;
 
-  *pe = L'\0';
-  r = wchkname (pp, dname);	/*(*/
-  *pe = L')';
-  return r;
+  /* but if it doesn't then we didn't match a leading dot */
+  return 0;
 #else
   return (wchkname (pat, dname));
 #endif
@@ -1006,7 +1020,7 @@
 {
   char **result;
   unsigned int result_size;
-  char *directory_name, *filename, *dname;
+  char *directory_name, *filename, *dname, *fn;
   unsigned int directory_len;
   int free_dirname;			/* flag */
   int dflags;
@@ -1022,6 +1036,18 @@
 
   /* Find the filename.  */
   filename = strrchr (pathname, '/');
+#if defined (EXTENDED_GLOB)
+  if (filename && extended_glob)
+    {
+      fn = glob_dirscan (pathname, '/');
+#if DEBUG_MATCHING
+      if (fn != filename)
+	fprintf (stderr, "glob_filename: glob_dirscan: fn (%s) != filename (%s)\n", fn ? fn : "(null)", filename);
+#endif
+      filename = fn;
+    }
+#endif
+
   if (filename == NULL)
     {
       filename = pathname;
diff -Nura bash-4.3/lib/glob/gmisc.c bash-4.3.pl27/lib/glob/gmisc.c
--- bash-4.3/lib/glob/gmisc.c	2013-10-28 15:45:25.000000000 -0300
+++ bash-4.3.pl27/lib/glob/gmisc.c	2014-09-28 08:13:40.317843093 -0300
@@ -42,6 +42,8 @@
 #define WLPAREN         L'('
 #define WRPAREN         L')'
 
+extern char *glob_patscan __P((char *, char *, int));
+
 /* Return 1 of the first character of WSTRING could match the first
    character of pattern WPAT.  Wide character version. */
 int
@@ -210,6 +212,7 @@
     case '+':
     case '!':
     case '@':
+    case '?':
       return (pat[1] == LPAREN);
     default:
       return 0;
@@ -374,3 +377,34 @@
 
   return matlen;
 }
+
+/* Skip characters in PAT and return the final occurrence of DIRSEP.  This
+   is only called when extended_glob is set, so we have to skip over extglob
+   patterns x(...) */
+char *
+glob_dirscan (pat, dirsep)
+     char *pat;
+     int dirsep;
+{
+  char *p, *d, *pe, *se;
+
+  d = pe = se = 0;
+  for (p = pat; p && *p; p++)
+    {
+      if (extglob_pattern_p (p))
+	{
+	  if (se == 0)
+	    se = p + strlen (p) - 1;
+	  pe = glob_patscan (p + 2, se, 0);
+	  if (pe == 0)
+	    continue;
+	  else if (*pe == 0)
+	    break;
+	  p = pe - 1;	/* will do increment above */
+	  continue;
+	}
+      if (*p ==  dirsep)
+	d = p;
+    }
+  return d;
+}
diff -Nura bash-4.3/lib/readline/display.c bash-4.3.pl27/lib/readline/display.c
--- bash-4.3/lib/readline/display.c	2013-12-27 15:10:56.000000000 -0300
+++ bash-4.3.pl27/lib/readline/display.c	2014-09-28 08:13:40.318843127 -0300
@@ -1637,7 +1637,7 @@
   /* If we are changing the number of invisible characters in a line, and
      the spot of first difference is before the end of the invisible chars,
      lendiff needs to be adjusted. */
-  if (current_line == 0 && !_rl_horizontal_scroll_mode &&
+  if (current_line == 0 && /* !_rl_horizontal_scroll_mode && */
       current_invis_chars != visible_wrap_offset)
     {
       if (MB_CUR_MAX > 1 && rl_byte_oriented == 0)
@@ -1825,8 +1825,13 @@
 	      else
 		_rl_last_c_pos += bytes_to_insert;
 
+	      /* XXX - we only want to do this if we are at the end of the line
+		 so we move there with _rl_move_cursor_relative */
 	      if (_rl_horizontal_scroll_mode && ((oe-old) > (ne-new)))
-		goto clear_rest_of_line;
+		{
+		  _rl_move_cursor_relative (ne-new, new);
+		  goto clear_rest_of_line;
+		}
 	    }
 	}
       /* Otherwise, print over the existing material. */
@@ -2677,7 +2682,8 @@
 {
   if (_rl_echoing_p)
     {
-      _rl_move_vert (_rl_vis_botlin);
+      if (_rl_vis_botlin > 0)	/* minor optimization plus bug fix */
+	_rl_move_vert (_rl_vis_botlin);
       _rl_vis_botlin = 0;
       fflush (rl_outstream);
       rl_restart_output (1, 0);
diff -Nura bash-4.3/lib/readline/input.c bash-4.3.pl27/lib/readline/input.c
--- bash-4.3/lib/readline/input.c	2014-01-10 17:07:08.000000000 -0300
+++ bash-4.3.pl27/lib/readline/input.c	2014-09-28 08:13:40.318843127 -0300
@@ -534,8 +534,16 @@
 	return (RL_ISSTATE (RL_STATE_READCMD) ? READERR : EOF);
       else if (_rl_caught_signal == SIGHUP || _rl_caught_signal == SIGTERM)
 	return (RL_ISSTATE (RL_STATE_READCMD) ? READERR : EOF);
+      /* keyboard-generated signals of interest */
       else if (_rl_caught_signal == SIGINT || _rl_caught_signal == SIGQUIT)
         RL_CHECK_SIGNALS ();
+      /* non-keyboard-generated signals of interest */
+      else if (_rl_caught_signal == SIGALRM
+#if defined (SIGVTALRM)
+		|| _rl_caught_signal == SIGVTALRM
+#endif
+	      )
+        RL_CHECK_SIGNALS ();
 
       if (rl_signal_event_hook)
 	(*rl_signal_event_hook) ();
diff -Nura bash-4.3/lib/readline/misc.c bash-4.3.pl27/lib/readline/misc.c
--- bash-4.3/lib/readline/misc.c	2012-09-01 19:03:11.000000000 -0300
+++ bash-4.3.pl27/lib/readline/misc.c	2014-09-28 08:13:40.319843161 -0300
@@ -461,6 +461,7 @@
 	    saved_undo_list = 0;
 	  /* Set up rl_line_buffer and other variables from history entry */
 	  rl_replace_from_history (entry, 0);	/* entry->line is now current */
+	  entry->data = 0;			/* entry->data is now current undo list */
 	  /* Undo all changes to this history entry */
 	  while (rl_undo_list)
 	    rl_do_undo ();
@@ -468,7 +469,6 @@
 	     the timestamp. */
 	  FREE (entry->line);
 	  entry->line = savestring (rl_line_buffer);
-	  entry->data = 0;
 	}
       entry = previous_history ();
     }
diff -Nura bash-4.3/lib/readline/readline.c bash-4.3.pl27/lib/readline/readline.c
--- bash-4.3/lib/readline/readline.c	2013-10-28 15:58:06.000000000 -0300
+++ bash-4.3.pl27/lib/readline/readline.c	2014-09-28 08:13:40.319843161 -0300
@@ -744,7 +744,8 @@
     r = _rl_subseq_result (r, cxt->oldmap, cxt->okey, (cxt->flags & KSEQ_SUBSEQ));
 
   RL_CHECK_SIGNALS ();
-  if (r == 0)			/* success! */
+  /* We only treat values < 0 specially to simulate recursion. */
+  if (r >= 0 || (r == -1 && (cxt->flags & KSEQ_SUBSEQ) == 0))	/* success! or failure! */
     {
       _rl_keyseq_chain_dispose ();
       RL_UNSETSTATE (RL_STATE_MULTIKEY);
@@ -964,7 +965,7 @@
 #if defined (VI_MODE)
   if (rl_editing_mode == vi_mode && _rl_keymap == vi_movement_keymap &&
       key != ANYOTHERKEY &&
-      rl_key_sequence_length == 1 &&	/* XXX */
+      _rl_dispatching_keymap == vi_movement_keymap &&
       _rl_vi_textmod_command (key))
     _rl_vi_set_last (key, rl_numeric_arg, rl_arg_sign);
 #endif
diff -Nura bash-4.3/lib/sh/shquote.c bash-4.3.pl27/lib/sh/shquote.c
--- bash-4.3/lib/sh/shquote.c	2013-03-31 22:53:32.000000000 -0300
+++ bash-4.3.pl27/lib/sh/shquote.c	2014-09-28 08:13:40.319843161 -0300
@@ -311,3 +311,17 @@
 
   return (0);
 }
+
+int
+sh_contains_quotes (string)
+     char *string;
+{
+  char *s;
+
+  for (s = string; s && *s; s++)
+    {
+      if (*s == '\'' || *s == '"' || *s == '\\')
+	return 1;
+    }
+  return 0;
+}
diff -Nura bash-4.3/parse.y bash-4.3.pl27/parse.y
--- bash-4.3/parse.y	2014-02-11 11:42:10.000000000 -0300
+++ bash-4.3.pl27/parse.y	2014-09-28 08:14:06.094720199 -0300
@@ -2424,7 +2424,7 @@
 	 not already end in an EOF character.  */
       if (shell_input_line_terminator != EOF)
 	{
-	  if (shell_input_line_size < SIZE_MAX && shell_input_line_len > shell_input_line_size - 3)
+	  if (shell_input_line_size < SIZE_MAX-3 && (shell_input_line_len+3 > shell_input_line_size))
 	    shell_input_line = (char *)xrealloc (shell_input_line,
 					1 + (shell_input_line_size += 2));
 
@@ -2642,7 +2642,7 @@
   int r;
 
   r = 0;
-  while (need_here_doc)
+  while (need_here_doc > 0)
     {
       parser_state |= PST_HEREDOC;
       make_here_document (redir_stack[r++], line_number);
@@ -2953,6 +2953,8 @@
   FREE (word_desc_to_read);
   word_desc_to_read = (WORD_DESC *)NULL;
 
+  eol_ungetc_lookahead = 0;
+
   current_token = '\n';		/* XXX */
   last_read_token = '\n';
   token_to_read = '\n';
@@ -3398,7 +3400,7 @@
          within a double-quoted ${...} construct "an even number of
          unescaped double-quotes or single-quotes, if any, shall occur." */
       /* This was changed in Austin Group Interp 221 */
-      if MBTEST(posixly_correct && shell_compatibility_level > 41 && dolbrace_state != DOLBRACE_QUOTE && (flags & P_DQUOTE) && (flags & P_DOLBRACE) && ch == '\'')
+      if MBTEST(posixly_correct && shell_compatibility_level > 41 && dolbrace_state != DOLBRACE_QUOTE && dolbrace_state != DOLBRACE_QUOTE2 && (flags & P_DQUOTE) && (flags & P_DOLBRACE) && ch == '\'')
 	continue;
 
       /* Could also check open == '`' if we want to parse grouping constructs
@@ -6075,6 +6077,7 @@
 
   ps->expand_aliases = expand_aliases;
   ps->echo_input_at_read = echo_input_at_read;
+  ps->need_here_doc = need_here_doc;
 
   ps->token = token;
   ps->token_buffer_size = token_buffer_size;
@@ -6123,6 +6126,7 @@
 
   expand_aliases = ps->expand_aliases;
   echo_input_at_read = ps->echo_input_at_read;
+  need_here_doc = ps->need_here_doc;
 
   FREE (token);
   token = ps->token;
diff -Nura bash-4.3/patchlevel.h bash-4.3.pl27/patchlevel.h
--- bash-4.3/patchlevel.h	2012-12-29 12:47:57.000000000 -0300
+++ bash-4.3.pl27/patchlevel.h	2014-09-28 08:14:07.486767564 -0300
@@ -25,6 +25,6 @@
    regexp `^#define[ 	]*PATCHLEVEL', since that's what support/mkversion.sh
    looks for to find the patch level (for the sccs version string). */
 
-#define PATCHLEVEL 0
+#define PATCHLEVEL 27
 
 #endif /* _PATCHLEVEL_H_ */
diff -Nura bash-4.3/pcomplete.c bash-4.3.pl27/pcomplete.c
--- bash-4.3/pcomplete.c	2013-08-26 16:23:45.000000000 -0300
+++ bash-4.3.pl27/pcomplete.c	2014-09-28 08:13:40.321843229 -0300
@@ -183,6 +183,7 @@
 
 COMPSPEC *pcomp_curcs;
 const char *pcomp_curcmd;
+const char *pcomp_curtxt;
 
 #ifdef DEBUG
 /* Debugging code */
@@ -753,6 +754,32 @@
 	     quoted strings. */
 	  dfn = (*rl_filename_dequoting_function) ((char *)text, rl_completion_quote_character);
 	}
+      /* Intended to solve a mismatched assumption by bash-completion.  If
+	 the text to be completed is empty, but bash-completion turns it into
+	 a quoted string ('') assuming that this code will dequote it before
+	 calling readline, do the dequoting. */
+      else if (iscompgen && iscompleting &&
+	       pcomp_curtxt && *pcomp_curtxt == 0 &&
+	       text && (*text == '\'' || *text == '"') && text[1] == text[0] && text[2] == 0 && 
+	       rl_filename_dequoting_function)
+	dfn = (*rl_filename_dequoting_function) ((char *)text, rl_completion_quote_character);
+      /* Another mismatched assumption by bash-completion.  If compgen is being
+      	 run as part of bash-completion, and the argument to compgen is not
+      	 the same as the word originally passed to the programmable completion
+      	 code, dequote the argument if it has quote characters.  It's an
+      	 attempt to detect when bash-completion is quoting its filename
+      	 argument before calling compgen. */
+      /* We could check whether gen_shell_function_matches is in the call
+	 stack by checking whether the gen-shell-function-matches tag is in
+	 the unwind-protect stack, but there's no function to do that yet.
+	 We could simply check whether we're executing in a function by
+	 checking variable_context, and may end up doing that. */
+      else if (iscompgen && iscompleting && rl_filename_dequoting_function &&
+	       pcomp_curtxt && text &&
+	       STREQ (pcomp_curtxt, text) == 0 &&
+	       variable_context &&
+	       sh_contains_quotes (text))	/* guess */
+	dfn = (*rl_filename_dequoting_function) ((char *)text, rl_completion_quote_character);
       else
 	dfn = savestring (text);
     }
@@ -1522,7 +1549,7 @@
      COMPSPEC **lastcs;
 {
   COMPSPEC *cs, *oldcs;
-  const char *oldcmd;
+  const char *oldcmd, *oldtxt;
   STRINGLIST *ret;
 
   cs = progcomp_search (ocmd);
@@ -1545,14 +1572,17 @@
 
   oldcs = pcomp_curcs;
   oldcmd = pcomp_curcmd;
+  oldtxt = pcomp_curtxt;
 
   pcomp_curcs = cs;
   pcomp_curcmd = cmd;
+  pcomp_curtxt = word;
 
   ret = gen_compspec_completions (cs, cmd, word, start, end, foundp);
 
   pcomp_curcs = oldcs;
   pcomp_curcmd = oldcmd;
+  pcomp_curtxt = oldtxt;
 
   /* We need to conditionally handle setting *retryp here */
   if (retryp)
diff -Nura bash-4.3/shell.h bash-4.3.pl27/shell.h
--- bash-4.3/shell.h	2012-12-25 23:11:01.000000000 -0300
+++ bash-4.3.pl27/shell.h	2014-09-28 08:13:40.321843229 -0300
@@ -168,7 +168,8 @@
   /* flags state affecting the parser */
   int expand_aliases;
   int echo_input_at_read;
-  
+  int need_here_doc;
+
 } sh_parser_state_t;
 
 typedef struct _sh_input_line_state_t {
diff -Nura bash-4.3/subst.c bash-4.3.pl27/subst.c
--- bash-4.3/subst.c	2014-01-23 18:26:37.000000000 -0300
+++ bash-4.3.pl27/subst.c	2014-09-28 08:13:40.322843263 -0300
@@ -1192,12 +1192,18 @@
    Start extracting at (SINDEX) as if we had just seen "<(".
    Make (SINDEX) get the position of the matching ")". */ /*))*/
 char *
-extract_process_subst (string, starter, sindex)
+extract_process_subst (string, starter, sindex, xflags)
      char *string;
      char *starter;
      int *sindex;
+     int xflags;
 {
+#if 0
   return (extract_delimited_string (string, sindex, starter, "(", ")", SX_COMMAND));
+#else
+  xflags |= (no_longjmp_on_fatal_error ? SX_NOLONGJMP : 0);
+  return (xparse_dolparen (string, string+*sindex, sindex, xflags));
+#endif
 }
 #endif /* PROCESS_SUBSTITUTION */
 
@@ -1785,7 +1791,7 @@
 	  si = i + 2;
 	  if (string[si] == '\0')
 	    CQ_RETURN(si);
-	  temp = extract_process_subst (string, (c == '<') ? "<(" : ">(", &si);
+	  temp = extract_process_subst (string, (c == '<') ? "<(" : ">(", &si, 0);
 	  free (temp);		/* no SX_ALLOC here */
 	  i = si;
 	  if (string[i] == '\0')
@@ -3248,8 +3254,10 @@
   if (w->word == 0 || w->word[0] == '\0')
     return ((char *)NULL);
 
+  expand_no_split_dollar_star = 1;
   w->flags |= W_NOSPLIT2;
   l = call_expand_word_internal (w, 0, 0, (int *)0, (int *)0);
+  expand_no_split_dollar_star = 0;
   if (l)
     {
       if (special == 0)			/* LHS */
@@ -7366,7 +7374,13 @@
     }
 
   if (want_indir)
-    tdesc = parameter_brace_expand_indir (name + 1, var_is_special, quoted, quoted_dollar_atp, contains_dollar_at);
+    {
+      tdesc = parameter_brace_expand_indir (name + 1, var_is_special, quoted, quoted_dollar_atp, contains_dollar_at);
+      /* Turn off the W_ARRAYIND flag because there is no way for this function
+	 to return the index we're supposed to be using. */
+      if (tdesc && tdesc->flags)
+	tdesc->flags &= ~W_ARRAYIND;
+    }
   else
     tdesc = parameter_brace_expand_word (name, var_is_special, quoted, PF_IGNUNBOUND|(pflags&(PF_NOSPLIT2|PF_ASSIGNRHS)), &ind);
 
@@ -7847,6 +7861,10 @@
 	 We also want to make sure that splitting is done no matter what --
 	 according to POSIX.2, this expands to a list of the positional
 	 parameters no matter what IFS is set to. */
+      /* XXX - what to do when in a context where word splitting is not
+	 performed? Even when IFS is not the default, posix seems to imply
+	 that we behave like unquoted $* ?  Maybe we should use PF_NOSPLIT2
+	 here. */
       temp = string_list_dollar_at (list, (pflags & PF_ASSIGNRHS) ? (quoted|Q_DOUBLE_QUOTES) : quoted);
 
       tflag |= W_DOLLARAT;
@@ -8029,7 +8047,9 @@
 
 	  goto return0;
 	}
-      else if (var = find_variable_last_nameref (temp1))
+      else if (var && (invisible_p (var) || var_isset (var) == 0))
+	temp = (char *)NULL;
+      else if ((var = find_variable_last_nameref (temp1)) && var_isset (var) && invisible_p (var) == 0)
 	{
 	  temp = nameref_cell (var);
 #if defined (ARRAY_VARS)
@@ -8243,7 +8263,7 @@
 	    else
 	      t_index = sindex + 1; /* skip past both '<' and LPAREN */
 
-	    temp1 = extract_process_subst (string, (c == '<') ? "<(" : ">(", &t_index); /*))*/
+	    temp1 = extract_process_subst (string, (c == '<') ? "<(" : ">(", &t_index, 0); /*))*/
 	    sindex = t_index;
 
 	    /* If the process substitution specification is `<()', we want to
@@ -8816,6 +8836,7 @@
   else
     {
       char *ifs_chars;
+      char *tstring;
 
       ifs_chars = (quoted_dollar_at || has_dollar_at) ? ifs_value : (char *)NULL;
 
@@ -8830,11 +8851,36 @@
 	 regardless of what else has happened to IFS since the expansion. */
       if (split_on_spaces)
 	list = list_string (istring, " ", 1);	/* XXX quoted == 1? */
+      /* If we have $@ (has_dollar_at != 0) and we are in a context where we
+	 don't want to split the result (W_NOSPLIT2), and we are not quoted,
+	 we have already separated the arguments with the first character of
+	 $IFS.  In this case, we want to return a list with a single word
+	 with the separator possibly replaced with a space (it's what other
+	 shells seem to do).
+	 quoted_dollar_at is internal to this function and is set if we are
+	 passed an argument that is unquoted (quoted == 0) but we encounter a
+	 double-quoted $@ while expanding it. */
+      else if (has_dollar_at && quoted_dollar_at == 0 && ifs_chars && quoted == 0 && (word->flags & W_NOSPLIT2))
+	{
+	  /* Only split and rejoin if we have to */
+	  if (*ifs_chars && *ifs_chars != ' ')
+	    {
+	      list = list_string (istring, *ifs_chars ? ifs_chars : " ", 1);
+	      tstring = string_list (list);
+	    }
+	  else
+	    tstring = istring;
+	  tword = make_bare_word (tstring);
+	  if (tstring != istring)
+	    free (tstring);
+	  goto set_word_flags;
+	}
       else if (has_dollar_at && ifs_chars)
 	list = list_string (istring, *ifs_chars ? ifs_chars : " ", 1);
       else
 	{
 	  tword = make_bare_word (istring);
+set_word_flags:
 	  if ((quoted & (Q_DOUBLE_QUOTES|Q_HERE_DOCUMENT)) || (quoted_state == WHOLLY_QUOTED))
 	    tword->flags |= W_QUOTED;
 	  if (word->flags & W_ASSIGNMENT)
diff -Nura bash-4.3/subst.h bash-4.3.pl27/subst.h
--- bash-4.3/subst.h	2014-01-11 23:02:27.000000000 -0300
+++ bash-4.3.pl27/subst.h	2014-09-28 08:13:40.322843263 -0300
@@ -82,7 +82,7 @@
 /* Extract the <( or >( construct in STRING, and return a new string.
    Start extracting at (SINDEX) as if we had just seen "<(".
    Make (SINDEX) get the position just after the matching ")". */
-extern char *extract_process_subst __P((char *, char *, int *));
+extern char *extract_process_subst __P((char *, char *, int *, int));
 #endif /* PROCESS_SUBSTITUTION */
 
 /* Extract the name of the variable to bind to from the assignment string. */
diff -Nura bash-4.3/test.c bash-4.3.pl27/test.c
--- bash-4.3/test.c	2014-02-04 18:52:58.000000000 -0300
+++ bash-4.3.pl27/test.c	2014-09-28 08:13:40.323843297 -0300
@@ -646,8 +646,8 @@
       return (v && invisible_p (v) == 0 && var_isset (v) ? TRUE : FALSE);
 
     case 'R':
-      v = find_variable (arg);
-      return (v && invisible_p (v) == 0 && var_isset (v) && nameref_p (v) ? TRUE : FALSE);
+      v = find_variable_noref (arg);
+      return ((v && invisible_p (v) == 0 && var_isset (v) && nameref_p (v)) ? TRUE : FALSE);
     }
 
   /* We can't actually get here, but this shuts up gcc. */
@@ -723,6 +723,7 @@
     case 'o': case 'p': case 'r': case 's': case 't':
     case 'u': case 'v': case 'w': case 'x': case 'z':
     case 'G': case 'L': case 'O': case 'S': case 'N':
+    case 'R':
       return (1);
     }
 
diff -Nura bash-4.3/trap.c bash-4.3.pl27/trap.c
--- bash-4.3/trap.c	2014-02-05 12:03:21.000000000 -0300
+++ bash-4.3.pl27/trap.c	2014-09-28 08:13:40.323843297 -0300
@@ -920,7 +920,8 @@
       subst_assign_varlist = 0;
 
 #if defined (JOB_CONTROL)
-      save_pipeline (1);	/* XXX only provides one save level */
+      if (sig != DEBUG_TRAP)	/* run_debug_trap does this */
+	save_pipeline (1);	/* XXX only provides one save level */
 #endif
 
       /* If we're in a function, make sure return longjmps come here, too. */
@@ -940,7 +941,8 @@
       trap_exit_value = last_command_exit_value;
 
 #if defined (JOB_CONTROL)
-      restore_pipeline (1);
+      if (sig != DEBUG_TRAP)	/* run_debug_trap does this */
+	restore_pipeline (1);
 #endif
 
       subst_assign_varlist = save_subst_varlist;
diff -Nura bash-4.3/variables.c bash-4.3.pl27/variables.c
--- bash-4.3/variables.c	2014-02-14 13:55:12.000000000 -0300
+++ bash-4.3.pl27/variables.c	2014-09-28 08:14:07.486767564 -0300
@@ -83,6 +83,11 @@
 
 #define ifsname(s)	((s)[0] == 'I' && (s)[1] == 'F' && (s)[2] == 'S' && (s)[3] == '\0')
 
+#define BASHFUNC_PREFIX		"BASH_FUNC_"
+#define BASHFUNC_PREFLEN	10	/* == strlen(BASHFUNC_PREFIX */
+#define BASHFUNC_SUFFIX		"%%"
+#define BASHFUNC_SUFFLEN	2	/* == strlen(BASHFUNC_SUFFIX) */
+
 extern char **environ;
 
 /* Variables used here and defined in other files. */
@@ -279,7 +284,7 @@
 static void propagate_temp_var __P((PTR_T));
 static void dispose_temporary_env __P((sh_free_func_t *));     
 
-static inline char *mk_env_string __P((const char *, const char *));
+static inline char *mk_env_string __P((const char *, const char *, int));
 static char **make_env_array_from_var_list __P((SHELL_VAR **));
 static char **make_var_export_array __P((VAR_CONTEXT *));
 static char **make_func_export_array __P((void));
@@ -349,24 +354,33 @@
 
       /* If exported function, define it now.  Don't import functions from
 	 the environment in privileged mode. */
-      if (privmode == 0 && read_but_dont_execute == 0 && STREQN ("() {", string, 4))
+      if (privmode == 0 && read_but_dont_execute == 0 && 
+          STREQN (BASHFUNC_PREFIX, name, BASHFUNC_PREFLEN) &&
+          STREQ (BASHFUNC_SUFFIX, name + char_index - BASHFUNC_SUFFLEN) &&
+	  STREQN ("() {", string, 4))
 	{
-	  string_length = strlen (string);
-	  temp_string = (char *)xmalloc (3 + string_length + char_index);
+	  size_t namelen;
+	  char *tname;		/* desired imported function name */
 
-	  strcpy (temp_string, name);
-	  temp_string[char_index] = ' ';
-	  strcpy (temp_string + char_index + 1, string);
+	  namelen = char_index - BASHFUNC_PREFLEN - BASHFUNC_SUFFLEN;
 
-	  if (posixly_correct == 0 || legal_identifier (name))
-	    parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST);
+	  tname = name + BASHFUNC_PREFLEN;	/* start of func name */
+	  tname[namelen] = '\0';		/* now tname == func name */
+
+	  string_length = strlen (string);
+	  temp_string = (char *)xmalloc (namelen + string_length + 2);
 
-	  /* Ancient backwards compatibility.  Old versions of bash exported
-	     functions like name()=() {...} */
-	  if (name[char_index - 1] == ')' && name[char_index - 2] == '(')
-	    name[char_index - 2] = '\0';
+	  memcpy (temp_string, tname, namelen);
+	  temp_string[namelen] = ' ';
+	  memcpy (temp_string + namelen + 1, string, string_length + 1);
+
+	  /* Don't import function names that are invalid identifiers from the
+	     environment, though we still allow them to be defined as shell
+	     variables. */
+	  if (absolute_program (tname) == 0 && (posixly_correct == 0 || legal_identifier (tname)))
+	    parse_and_execute (temp_string, tname, SEVAL_NONINT|SEVAL_NOHIST|SEVAL_FUNCDEF|SEVAL_ONECMD);
 
-	  if (temp_var = find_function (name))
+	  if (temp_var = find_function (tname))
 	    {
 	      VSETATTR (temp_var, (att_exported|att_imported));
 	      array_needs_making = 1;
@@ -379,12 +393,11 @@
 		  array_needs_making = 1;
 		}
 	      last_command_exit_value = 1;
-	      report_error (_("error importing function definition for `%s'"), name);
+	      report_error (_("error importing function definition for `%s'"), tname);
 	    }
 
-	  /* ( */
-	  if (name[char_index - 1] == ')' && name[char_index - 2] == '\0')
-	    name[char_index - 2] = '(';		/* ) */
+	  /* Restore original suffix */
+	  tname[namelen] = BASHFUNC_SUFFIX[0];
 	}
 #if defined (ARRAY_VARS)
 #  if ARRAY_EXPORT
@@ -2197,10 +2210,7 @@
   /* local foo; local foo;  is a no-op. */
   old_var = find_variable (name);
   if (old_var && local_p (old_var) && old_var->context == variable_context)
-    {
-      VUNSETATTR (old_var, att_invisible);	/* XXX */
-      return (old_var);
-    }
+    return (old_var);
 
   was_tmpvar = old_var && tempvar_p (old_var);
   /* If we're making a local variable in a shell function, the temporary env
@@ -2963,7 +2973,7 @@
   var->context = variable_context;	/* XXX */
 
   INVALIDATE_EXPORTSTR (var);
-  var->exportstr = mk_env_string (name, value);
+  var->exportstr = mk_env_string (name, value, 0);
 
   array_needs_making = 1;
 
@@ -3861,21 +3871,42 @@
 /* **************************************************************** */
 
 static inline char *
-mk_env_string (name, value)
+mk_env_string (name, value, isfunc)
      const char *name, *value;
+     int isfunc;
 {
-  int name_len, value_len;
-  char	*p;
+  size_t name_len, value_len;
+  char	*p, *q;
 
   name_len = strlen (name);
   value_len = STRLEN (value);
-  p = (char *)xmalloc (2 + name_len + value_len);
-  strcpy (p, name);
-  p[name_len] = '=';
+
+  /* If we are exporting a shell function, construct the encoded function
+     name. */
+  if (isfunc && value)
+    {
+      p = (char *)xmalloc (BASHFUNC_PREFLEN + name_len + BASHFUNC_SUFFLEN + value_len + 2);
+      q = p;
+      memcpy (q, BASHFUNC_PREFIX, BASHFUNC_PREFLEN);
+      q += BASHFUNC_PREFLEN;
+      memcpy (q, name, name_len);
+      q += name_len;
+      memcpy (q, BASHFUNC_SUFFIX, BASHFUNC_SUFFLEN);
+      q += BASHFUNC_SUFFLEN;
+    }
+  else
+    {
+      p = (char *)xmalloc (2 + name_len + value_len);
+      memcpy (p, name, name_len);
+      q = p + name_len;
+    }
+
+  q[0] = '=';
   if (value && *value)
-    strcpy (p + name_len + 1, value);
+    memcpy (q + 1, value, value_len + 1);
   else
-    p[name_len + 1] = '\0';
+    q[1] = '\0';
+
   return (p);
 }
 
@@ -3961,7 +3992,7 @@
 	  /* Gee, I'd like to get away with not using savestring() if we're
 	     using the cached exportstr... */
 	  list[list_index] = USE_EXPORTSTR ? savestring (value)
-					   : mk_env_string (var->name, value);
+					   : mk_env_string (var->name, value, function_p (var));
 
 	  if (USE_EXPORTSTR == 0)
 	    SAVE_EXPORTSTR (var, list[list_index]);
diff -Nura bash-4.3/y.tab.c bash-4.3.pl27/y.tab.c
--- bash-4.3/y.tab.c	2014-02-11 12:57:47.000000000 -0300
+++ bash-4.3.pl27/y.tab.c	2014-09-28 08:14:06.096720267 -0300
@@ -4736,7 +4736,7 @@
 	 not already end in an EOF character.  */
       if (shell_input_line_terminator != EOF)
 	{
-	  if (shell_input_line_size < SIZE_MAX && shell_input_line_len > shell_input_line_size - 3)
+	  if (shell_input_line_size < SIZE_MAX-3 && (shell_input_line_len+3 > shell_input_line_size))
 	    shell_input_line = (char *)xrealloc (shell_input_line,
 					1 + (shell_input_line_size += 2));
 
@@ -4954,7 +4954,7 @@
   int r;
 
   r = 0;
-  while (need_here_doc)
+  while (need_here_doc > 0)
     {
       parser_state |= PST_HEREDOC;
       make_here_document (redir_stack[r++], line_number);
@@ -5265,6 +5265,8 @@
   FREE (word_desc_to_read);
   word_desc_to_read = (WORD_DESC *)NULL;
 
+  eol_ungetc_lookahead = 0;
+
   current_token = '\n';		/* XXX */
   last_read_token = '\n';
   token_to_read = '\n';
@@ -5710,7 +5712,7 @@
          within a double-quoted ${...} construct "an even number of
          unescaped double-quotes or single-quotes, if any, shall occur." */
       /* This was changed in Austin Group Interp 221 */
-      if MBTEST(posixly_correct && shell_compatibility_level > 41 && dolbrace_state != DOLBRACE_QUOTE && (flags & P_DQUOTE) && (flags & P_DOLBRACE) && ch == '\'')
+      if MBTEST(posixly_correct && shell_compatibility_level > 41 && dolbrace_state != DOLBRACE_QUOTE && dolbrace_state != DOLBRACE_QUOTE2 && (flags & P_DQUOTE) && (flags & P_DOLBRACE) && ch == '\'')
 	continue;
 
       /* Could also check open == '`' if we want to parse grouping constructs
@@ -8387,6 +8389,7 @@
 
   ps->expand_aliases = expand_aliases;
   ps->echo_input_at_read = echo_input_at_read;
+  ps->need_here_doc = need_here_doc;
 
   ps->token = token;
   ps->token_buffer_size = token_buffer_size;
@@ -8435,6 +8438,7 @@
 
   expand_aliases = ps->expand_aliases;
   echo_input_at_read = ps->echo_input_at_read;
+  need_here_doc = ps->need_here_doc;
 
   FREE (token);
   token = ps->token;
@@ -8537,4 +8541,3 @@
     }
 }
 #endif /* HANDLE_MULTIBYTE */
-