Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: [PATCH] Src/parse.c: bound h->npats in .zwc loader

X-seq: zsh-workers 54572
From: Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Re: [PATCH] Src/parse.c: bound h->npats in .zwc loader
Date: Fri, 15 May 2026 09:51:21 -0700
Arc-authentication-results: i=1; mx.google.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=je2cWrwqFXotCmhuNCp1MGnvSnCNOHAWlppjfVcQFUc=; fh=SbTlPuNNxBzTkRlwWtqw/TXBY0HvGvtE97RpPp3sJPM=; b=aHWDf7F4zDQrLY8+CCOBySG75ifpvfOFOjEe4av5nUe3gsmmD4QzyoghEEPa/EZ3Nh wDTRXZny7YZ0Rch0sfvj2Zo/Ityhj+JtG8ia141E3k5Rj7likuA6SgklXD76j7819U9m IKbrAukMAhr+AF1iC1IJcEG4jyP+7h9vybPhHDed6uNWLqmPeQJ3ZpIUcEhpy0qwKVsm /KFP4ZrUimPSTzvSencxI0Ms6JAbwxnpK7wax3LApFFOYPRLh8nogQ9bzeFjqIeuzruO uodn5trFoPukr8UmHW8TGYWKdesGFAR0UEwqy/3PP/ijsVJeYhIYLUSnpa6de4W7YH5u 2YjA==; darn=zsh.org
Arc-seal: i=1; a=rsa-sha256; t=1778863893; cv=none; d=google.com; s=arc-20240605; b=YpEWSwPykGgpLcJkOn5rvtTo1E0egrpjMUSB+u0kscAV52E4pAtl5vaLZiKfFvIN/T FBK52tCZT/SCmMjee8gYLlszuZXUEB3/WkxJYDGFJC6CLnduNtuP4aPqzXddlvxJUmXa tUNTpAd/mlfcnsuudKzQNuLcybwUIK7apSYJmfA82RjkKPS5Hg7G3WV89WW44QxndxdM C2NOqdorTklBws4Fvj/zYdvLt93iLWitLCI0k6OWuFF9NLmKGMn6no3pyfTny8DasCEe gsEwDSj4eakOCUYEnMzt8Q6bu3jEz03oNwfARXmEiLeepbhHMqOkC7o6dGQZSedd162R F4bA==
Archived-at: <https://zsh.org/workers/54572>
In-reply-to: <CAOcC9F2hZnLPztmOZPLK2w68t+XcDuH-X4pJgqeA8QptmOgKYw@mail.gmail.com>
List-id: <zsh-workers.zsh.org>
References: <CAOcC9F2hZnLPztmOZPLK2w68t+XcDuH-X4pJgqeA8QptmOgKYw@mail.gmail.com>

On Thu, May 14, 2026 at 11:07 PM Michael Ridgway
<michael.ridgway@xxxxxxxxx> wrote:
>
> Background.  The .zwc loader at Src/parse.c:3920 computes
>
>       int po = h->npats * sizeof(Patprog);
>
> with h->npats an attacker-controlled uint32 from the .zwc header.
>
> This patch uses a file-derived structural bound instead.  Every
> pattern emitted into the wordcode stream costs exactly one wordcode
> (parse.c:1307, 1316, 1352, 2667, 2673, 2679, 2684 -- all of the form
> ecadd(ecnpats++)), so a file claiming more patterns than it has
> wordcodes to reference them with is malformed by construction:
>
>       h->npats > h->len / sizeof(wordcode)

Pardon that I'm commenting without code-parsing, but could this be
subverted by creating an extremely large .zwc file?  Possibly just by
appending a block of NULL bytes when modifying the npats header?

Not to imply that this should be left unfixed, and the variable
type/size corrections are good, but it should be noted as was pointed
out in the security thread that an attacker-controlled .zwc file is
always a vulnerability.

References:
- [PATCH] Src/parse.c: bound h->npats in .zwc loader
  - From: Michael Ridgway

Messages sorted by: Reverse Date, Date, Thread, Author