Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

PATCH: environ overflow in zexecve()



Hi people,

The zexecve() function updates $_ before execve'ing any process.
However, if it doesn't find such a variable already in the
environment, it has to add it.

The following code

    if (!*eep)
	eep[1] = NULL;

attempts to shift the end of environ one place further in case
$_ was not found, giving room to add this new variable.

However this is assuming that the memory bloc allocated for environ is
wide enough to hold one more item.  Otherwise eep[1] is off the
bounds.

The suggested patch below uses zputenv() so that environ is
reallocated if required.

Index: Src/exec.c
===================================================================
RCS file: /cvsroot/zsh/zsh/Src/exec.c,v
retrieving revision 1.40
diff -u -r1.40 exec.c
--- Src/exec.c	17 Dec 2001 17:17:38 -0000	1.40
+++ Src/exec.c	28 Mar 2002 21:38:59 -0000
@@ -345,6 +345,8 @@
     for (eep = argv; *eep; eep++)
 	if (*eep != pth)
 	    unmetafy(*eep, NULL);
+
+    /* Search $_ in the environment, then update or insert it.  */
     for (eep = environ; *eep; eep++)
 	if (**eep == '_' && (*eep)[1] == '=')
 	    break;
@@ -354,9 +356,11 @@
 	strcpy(buf + 2, pth);
     else
 	sprintf(buf + 2, "%s/%s", pwd, pth);
-    if (!*eep)
-	eep[1] = NULL;
-    *eep = buf;
+    if (*eep)
+      zputenv(buf);
+    else
+      *eep = buf;
+
     closedumps();
     execve(pth, argv, environ);
 
Index: Src/params.c
===================================================================
RCS file: /cvsroot/zsh/zsh/Src/params.c,v
retrieving revision 1.63
diff -u -r1.63 params.c
--- Src/params.c	24 Mar 2002 23:52:49 -0000	1.63
+++ Src/params.c	28 Mar 2002 21:39:12 -0000
@@ -3125,7 +3125,8 @@
 }
 
 
-static int
+/**/
+int
 zputenv(char *str)
 {
 #ifdef HAVE_PUTENV

-- 
Alexandre Duret-Lutz



Messages sorted by: Reverse Date, Date, Thread, Author