Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Buffer overflow in "!" handling?



Hello,

I've stumbled upon a buffer overflow in zsh 4.3.9 (and 4.3.6) related
to the handling of the "!" character in the command line (Linux).

It's triggerable by typing "!AAAAAAAAA...A" (lots of A's) at the zsh
prompt (works better if zsh is compiled with stack protection,
otherwise a lot of A's are needed :) ).

A quick look at the code indicates the problem to be in hist.c,
function histsubchar(), where buf[256] is getting overflowed (*ptr is
used to write to the buffer, but no check is made to see if ptr passed
the end of buf).  I might be wrong though, I only took a couple of
minutes to look at the code.



Messages sorted by: Reverse Date, Date, Thread, Author