Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: #3 typeset and braces (Re: Zsh - Multiple DoS Vulnerabilities)



On Tue, 2019-05-14 at 00:36 +0200, Oliver Kiddle wrote:
> On 10 May, Bart wrote:
> > 
> > > 
> > >     #3 Invalid read from *dupstring *in *string.c*
> > >     POC folder:  *03_dupstring_(string.c_39)*
> > This gives exactly the same errors as #2, and then exits with
> > 
> > [long ugly filename]:87: parse error near `}'
> I've cut this one down to just:
> 
>   typeset Q= {X}
> 
> That reliably seg faults for me. But that's about as far as I've
> been able to get - I'm not especially familiar with zsh's parsing
> code.

Stepping through the parsing code when intypeset is set (with the
optimiser turned off) made it fairly obvious where it was doing
something it shouldn't, and the fix is to adapt code from below to this
case...  This is an obscure case we'd be very unlikely to pick up
normally.

The new parse case isn't actually useful and is bound to fail in the
typeset, but the rational solution seems to be let the normal typeset
code figure that out the same as if the Q= was missing (which I've also
added a test for).

pws

diff --git a/Src/parse.c b/Src/parse.c
index 22e553a16..27234497b 100644
--- a/Src/parse.c
+++ b/Src/parse.c
@@ -1899,6 +1899,14 @@ par_simple(int *cmplx, int nr)
 			    p += nrediradd;
 			    sr += nrediradd;
 			}
+			else if (postassigns)
+			{
+			    /* C.f. normal case below */
+			    postassigns++;
+			    ecadd(WCB_ASSIGN(WC_ASSIGN_SCALAR, WC_ASSIGN_INC, 0));
+			    ecstr(toksave);
+			    ecstr("");	/* TBD can possibly optimise out */
+			}
 			else
 			{
 			    ecstr(toksave);
diff --git a/Test/B02typeset.ztst b/Test/B02typeset.ztst
index ac86e0ad1..e7bf93794 100644
--- a/Test/B02typeset.ztst
+++ b/Test/B02typeset.ztst
@@ -1101,3 +1101,10 @@
 >export zsh_exported_readonly_scalar=1
 >readonly zsh_exported_readonly_array=( 2 )
 >readonly zsh_exported_readonly_scalar=1
+
+  # The second case was buggy as it needs special handling in postassigns
+  (typeset {X})
+  (typeset Q= {X})
+1:Regression test for {...} parsing in typeset
+?(eval):typeset:2: not valid in this context: {X}
+?(eval):typeset:3: not valid in this context: {X}



Messages sorted by: Reverse Date, Date, Thread, Author