Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: zsh 5.0.5-dev-2



On Sun, Aug 17, 2014 at 10:30:30AM -0700, Bart Schaefer wrote:
> On Aug 16,  8:35am, Han Pingtian wrote:
> }
> } I have tried PATH_MAX*3 and PATH_MAX*3 - 1, they both can fix the
> } buffer overflow here. I also tried PATH_MAX*2 + 1/2/3, they don't 
> } fix this problem. 
> 
> I suspect Fortify is reporting a potential error rather than a real
> one, because we'd presumably have seen other problems before this if
> "cd .." actually caused an 8kb buffer on the stack to overflow.
> 
> The whole symlink-chasing code is probably ripe to be rewritten with
> zsh-heap (or even malloc + static pointers) allocation unless we have
> reason to beleive that's a serious performance issue.
> 
> For the nonce I'll just commit xbuf2[PATH_MAX*3].

FYI.

I have tried to print the length of xbuf and *pp before the sprintf(). Looks
like when overflow being triggered, the length of xbuf is 8188, and the
length of *pp is 10. 

After changing xbuf2's length to PATH_MAX*3, the result is the same:
when zsh print 

zsh: path expansion failed, using root directory

the length of xbuf is 8188 and length of *pp is 10.

All the tests was performed on top of 2be0d8bdef401b6bca0c80a7bd78d658e862e38e,
I haven't yet merged your new commit.

Thanks.



Messages sorted by: Reverse Date, Date, Thread, Author