Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

PATCH: #6 negative job id (Re: Zsh - Multiple DoS Vulnerabilities)



On 10 May, Bart wrote:
> >     #6 Invalid read from *getjob *in *jobs.c*
> >     POC folder: *06_getjob_(jobs.c_1935)*
>
> This one I fed to "zsh -xf" and got (file name removed for readability):
>
> +1> bg $'%\M-\C-?' $'\C-VI7'
> bg:1: no job control in this shell.
> +1> disown $'%777777777777777\M-^'

This can be reproduced with just %777777777777777
or %2147483648 for that matter. Seems the value returned from atoi()
wraps to negative values if it doesn't fit in an int.

This patch prevents the crash but perhaps atoi() should be replaced with
something that does better error handling to cover numbers that are too
big but get truncated to something positive.

Oliver

diff --git a/Src/jobs.c b/Src/jobs.c
index 73d7f26da..50751decb 100644
--- a/Src/jobs.c
+++ b/Src/jobs.c
@@ -1932,7 +1932,7 @@ getjob(const char *s, const char *prog)
     /* a digit here means we have a job number */
     if (idigit(*s)) {
 	jobnum = atoi(s);
-	if (jobnum && jobnum <= mymaxjob && myjobtab[jobnum].stat &&
+	if (jobnum > 0 && jobnum <= mymaxjob && myjobtab[jobnum].stat &&
 	    !(myjobtab[jobnum].stat & STAT_SUBJOB) &&
 	    /*
 	     * If running jobs in a subshell, we are allowed to



Messages sorted by: Reverse Date, Date, Thread, Author