Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Buffer overflow with long fd numbers in redirects

X-seq: zsh-workers 33370
From: Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Re: Buffer overflow with long fd numbers in redirects
Date: Mon, 06 Oct 2014 08:07:09 -0700
In-reply-to: <20141006142434.GC5405@sym.noone.org>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <CAHYJk3QeCiKGuohbduaFa9cct48oL4c2+weEQKsWpr91EM_YkQ@mail.gmail.com> <20141006142434.GC5405@sym.noone.org>

On Oct 6,  4:24pm, Axel Beckert wrote:
}
} On Mon, Oct 06, 2014 at 04:00:44PM +0200, Mikael Magnusson wrote:
} > Someone reported this on IRC the other day,
} > % >&333333333333333333333
} > zsh: number truncated after 20 digits: 333333333333333333333
} > *** buffer overflow detected ***: zsh terminated
} > 
} > At least one place where this is mishandled is in exec.c around line 3215,
} 
} I can reproduce this in 5.0.6.
} 
} But I can't reproduce this in 4.3.17 as in Debian Wheezy.

I think that may be a difference in compilation rather than in code, i.e.
whether the binary was compiled with FORTIFY_SOURCE defined.

The char fdstr[4] has been there since before 1999.

DIGBUFSIZ should be used there, as PWS suggested.

References:
- Buffer overflow with long fd numbers in redirects
  - From: Mikael Magnusson
- Re: Buffer overflow with long fd numbers in redirects
  - From: Axel Beckert

Messages sorted by: Reverse Date, Date, Thread, Author