Obscure overflow with very long path; completion

[David Remahl <vuln@xxxxxxxxx>]

I found an interesting problem today...I'm not familiar enough with  
the code base to fully diagnose it myself, so I need your help.  
Although I think it is unlikely, it may have security implications.

Summary:
Some very special circumstances triggers a buffer overflow of some  
kind (I believe it is on the heap, but I have not had time to look  
into it in detail) in the cd builtin.

How to reproduce:
0) The following steps assume that you are working on a file system  
that supports (very) long path names. zsh on Mac OS X 10.4 satisfies  
this, but I have not tested it on other systems.
1) Perform the following script to create a string of 100  
directories, each with a 20 character name in /tmp/work:

mkdir work
cd work

$i=0

while ((i++ < 100)); do
    mkdir "aaaaaaaaaaaaaaaaaaaa"
    cd "aaaaaaaaaaaaaaaaaaaa"
done

2) cd /tmp/work
3) autoload -U compinit; compinit -u
4) cdpath=(.. ~)
5) cd a couple of levels. Type "a" followed by <tab> and "/", then  
tab a number of times.
6) Repeat 5) until you reach the end of the directory hierarchy.  
Pressing tab to complete at this time does nothing or beeps.
7) Press enter.

Expected result:
No crash. I expected cwd to be set to /tmp/work/aaaaaaaaaaaaaaaaaaaa/ 
aaaaaaaaaaaaaaaaaaaa/......./aaaaaaaaaaaaaaaaaaaa

Actual result:
zsh crashes with the following backtrace:

0   libSystem.B.dylib     0x90003364 strcmp + 132
1   zsh                   0x0005ea24 finddir + 164
2   zsh                   0x0005e820 fprintdir + 28
3   zsh                   0x00004a84 cd_able_vars + 1184
4   zsh                   0x00003e00 bin_cd + 464
5   zsh                   0x00002cc4 execbuiltin + 1436
6   zsh                   0x00015838 execsubst + 7144
7   zsh                   0x00012d14 execlist + 4816
8   zsh                   0x000122a0 execlist + 2140
9   zsh                   0x00011c38 execlist + 500
10  zsh                   0x00011888 execode + 68
11  zsh                   0x000268a4 loop + 676
12  zsh                   0x00029470 zsh_main + 596
13  zsh                   0x00001d18 start + 412
14  zsh                   0x00001bb8 start + 60

The full crash log can be found below. Note how address 0x61616161 is  
accessed, indicating that our string of "a":s has overwritten  
something it should not have clobbered. Completion must be turned on,  
and cdpath must be set to (.. ~) (just .. may be sufficient).

I hope someone more experienced with zsh can have a look and fix the  
problem.

/ Regards, David Remahl

% zsh --version
zsh 4.2.3 (powerpc-apple-darwin8.0)

Command: zsh
Path:    /bin/zsh
Parent:  login [4067]

Version: ??? (???)

PID:    4068
Thread: 0

Exception:  EXC_BAD_ACCESS (0x0001)
Codes:      KERN_INVALID_ADDRESS (0x0001) at 0x61616161

Thread 0 Crashed:
0   libSystem.B.dylib     0x90003364 strcmp + 132
1   zsh                   0x0005ea24 finddir + 164
2   zsh                   0x0005e820 fprintdir + 28
3   zsh                   0x00004a84 cd_able_vars + 1184
4   zsh                   0x00003e00 bin_cd + 464
5   zsh                   0x00002cc4 execbuiltin + 1436
6   zsh                   0x00015838 execsubst + 7144
7   zsh                   0x00012d14 execlist + 4816
8   zsh                   0x000122a0 execlist + 2140
9   zsh                   0x00011c38 execlist + 500
10  zsh                   0x00011888 execode + 68
11  zsh                   0x000268a4 loop + 676
12  zsh                   0x00029470 zsh_main + 596
13  zsh                   0x00001d18 start + 412
14  zsh                   0x00001bb8 start + 60

Thread 0 crashed with PPC Thread State:
  srr0: 0x90003364 srr1: 0x0200f030                vrsave: 0x00000000
    cr: 0x48022244  xer: 0x20000004   lr: 0x0005ea24  ctr: 0x000003a7
    r0: 0x000003a7   r1: 0xbffff4e0   r2: 0x00075bec   r3: 0x0181a400
    r4: 0x6161615d   r5: 0xfefefeff   r6: 0x80808080   r7: 0x2f707269
    r8: 0x00000000   r9: 0x00000e9f  r10: 0x5642feff  r11: 0x00071534
   r12: 0x900032e0  r13: 0x00000001  r14: 0x00000000  r15: 0x00000000
   r16: 0x00000000  r17: 0xbffff760  r18: 0x0007f7c0  r19: 0xbffff740
   r20: 0x0006e1f0  r21: 0x00000001  r22: 0x00073c38  r23: 0xbffff760
   r24: 0x00073c38  r25: 0x000748cc  r26: 0x0000000a  r27: 0x0181a400
   r28: 0x0181a400  r29: 0x0006e990  r30: 0x000759dc  r31: 0x0005e990

Binary Images Description:
    0x1000 -    0x6dfff zsh     /bin/zsh
   0x97000 -    0x9bfff parameter.so     /usr/lib/zsh/4.2.3/zsh/ 
parameter.so
   0x9f000 -    0xc0fff zle.so     /usr/lib/zsh/4.2.3/zsh/zle.so
   0xce000 -    0xe4fff complete.so     /usr/lib/zsh/4.2.3/zsh/ 
complete.so
   0xea000 -    0xeefff zutil.so     /usr/lib/zsh/4.2.3/zsh/zutil.so
  0x205000 -   0x210fff computil.so     /usr/lib/zsh/4.2.3/zsh/ 
computil.so
0x8fe00000 - 0x8fe50fff dyld 43    /usr/lib/dyld
0x90000000 - 0x901a6fff libSystem.B.dylib     /usr/lib/libSystem.B.dylib
0x901fe000 - 0x90202fff libmathCommon.A.dylib     /usr/lib/system/ 
libmathCommon.A.dylib
0x92c9b000 - 0x92d89fff libiconv.2.dylib     /usr/lib/libiconv.2.dylib
0x9680c000 - 0x9683afff libncurses.5.4.dylib     /usr/lib/libncurses. 
5.4.dylib

Model: PowerBook3,5, BootROM 4.5.3f2, 1 processors, PowerPC G4   
(3.2), 1 GHz, 1 GB
Graphics: ATY,RV250M9, ATY,RV250M9, AGP, 64 MB
Memory Module: SODIMM0/J16TOP, 512 MB, SDRAM, PC133U-333
Memory Module: SODIMM1/J16BOTTOM, 512 MB, SDRAM, PC133U-333
AirPort: AirPort, 9.52
Modem: MicroDash, Euro, V.92, 1.0F, APPLE VERSION 2.6.4
Network Service: AirPort, AirPort, en1
PCI Card: TXN,PCI1410-02, cardbus, PC Card
Parallel ATA Device: FUJITSU MHS2060AT, 55.89 GB
Parallel ATA Device: MATSHITADVD-R   UJ-815, 3.91 GB