Re: [PATCH] Src/parse.c: bound h->npats in .zwc loader

[dana <dana@xxxxxxx>]

On Fri 15 May 2026, at 01:07, Michael Ridgway wrote:
> As discussed in the zsh-security thread of 2026-05-03 onwards (and per
> Oliver's nudge yesterday — happy to get this into the next minor
> release).

i missed this before, sry

the fix seems good to me and oliver, so i've applied it

following discussion on irc i did make the following changes:

- the patch was corrupt. i fixed that

- there was no error message. i added one

- i moved the tests from B* to A*, since they're related to parsing, not
  to the zcompile built-in itself

- the tests were more complicated than necessary. i simplified them

- the tests assumed a little-endian system. i modified them to work on
  both le and be. oliver was able to confirm this on a be system he had
  access to

anyway ty for the report + fix


On Fri 15 May 2026, at 11:51, Bart Schaefer wrote:
> Pardon that I'm commenting without code-parsing, but could this be
> subverted by creating an extremely large .zwc file?  Possibly just by
> appending a block of NULL bytes when modifying the npats header?

if you mean could this specific check not work as intended due to the
file size, i don't think so, because at this point we're only looking at
the values of the struct fields. but there may be other opportunities
for memory corruption as we read the rest of the file, if either those
values or the data they refer to were manipulated. i didn't study it
that closely myself though


dana