Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: Obscure overflow with very long path; completion



Peter Stephenson <pws@xxxxxxx> typed:
: David Remahl wrote:
:> Summary:
:> Some very special circumstances triggers a buffer overflow of some  
:> kind (I believe it is on the heap, but I have not had time to look  
:> into it in detail) in the cd builtin.
: I couldn't get this to happen with Fedora Core 3 on x86.  It's possible
: it's some library bug, but I agree it's more likely there's some
: well-masked problem in memory management in zsh.

I get 98 of them built using the provided method before crashing.  Then

% zsh -f
% cd /tmp
% for I in {1..98}; cd aaaaaaaaaaaaaaaaaaaa
% pwd | wc
       1       1    2063
% setopt chaselinks
% cd /tmp
% for I in {1..98}; cd aaaaaaaaaaaaaaaaaaaa

(gdb) bt
#0  0xbdbcba91 in xsymlink (
    s=0x80e80c8 "/tmp/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/aaaaaa"...) at utils.c:395
#1  0xbdbcb701 in findpwd (
    s=0x80e80c8 "/tmp/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/aaaaaa"...) at utils.c:279
#2  0xbdb7482e in cd_new_pwd (func=10, dir=0x8091ca8) at builtin.c:1107

These two in utils.c:
   static char xbuf[PATH_MAX*2];
and
   char xbuf2[PATH_MAX*2], ...
are insufficient because the path is over twice the allowed PATH_MAX (1024) on
my machine.  I guess there should be some limiters to stop somewhere and obey
PATH_MAX (or some magic number we wish to support).

Regards,
Geoff



Messages sorted by: Reverse Date, Date, Thread, Author