Re: Integer overflow during brace expansion

On 27 February 2012 17:22, Leon Weber <leon@xxxxxxxxxxxx> wrote:
> When parsing and expanding 'dotdot' type brace expressions (e.g. {1..3}),
> zsh can encounter integer overflows because the range start and end
> values are stored in two integers without proper bounds checking
> (rstart and rend in glob.c:2092). Particularly,
> this happens when one of the range boundaries is <=-2147483648
> or >=2147483648, like in this example:
>> zsh% echo {-2147483648..-2147483646}
> This will cause zsh to eat up 100% CPU iterating through the loop declared
> in line 2147 in glob.c. In that loop, rend is decreased until it underflows.
> In the third and fourth iterations, we have these conditions:
> This gdb output clearly shows that rend has underflown and is now at the
> far positive end of the valid integer values. zsh will keep iterating
> over that loop and decreasing rend for a really long time.
> For comparison, a bash shell handles this correctly:
>> bash$ echo {-2147483648..-2147483646}
>> -2147483648 -2147483647 -2147483646

$ echo {-2147483648..2147483646}
zsh: segmentation fault  bash
and if you do this
$ echo {0..214783646}^C
it doesn't free the allocated memory until you exit the shell :).

(Of course, just for comparison. In zsh you can't even abort the
process with ctrl-c ;).)

The fix is fairly simple, just change the types involved to zlong. A
problem is that sprintf is used to convert the generated numbers back
to a string, and zlong can be an int or a long, but I forgot if we
have a modifier macro that expands to the correct thing. I remember
asking about it before (and possibly saying I would look in to fixing
it), but at the moment I don't remember what the result was.

With hardcoding it to %ld though, we get
% echo {-121474853646..-121474853650..2}
-121474853646 -121474853648 -121474853650 -121474853660 -121474853657
-121474853654 -121474853651 -121474853648

Mikael Magnusson

