Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
Re: Obscure overflow with very long path; completion
- X-seq: zsh-workers 21232
- From: Geoff Wing <mason@xxxxxxxxxxxxxxx>
- To: zsh-workers@xxxxxxxxxx
- Subject: Re: Obscure overflow with very long path; completion
- Date: Fri, 6 May 2005 04:10:00 +0000 (UTC)
- Mailing-list: contact zsh-workers-help@xxxxxxxxxx; run by ezmlm
- Organization: PrimeNet Computer Consultants
- References: <DE6AE1FD-6A14-44CE-8CB2-3576B59DB5B6@xxxxxxxxx> <200505031026.j43AQwBE014903@xxxxxxxxxxxxxx>
- Reply-to: mason@xxxxxxxxxxxxxxx
Peter Stephenson <pws@xxxxxxx> typed:
: David Remahl wrote:
:> Summary:
:> Some very special circumstances triggers a buffer overflow of some
:> kind (I believe it is on the heap, but I have not had time to look
:> into it in detail) in the cd builtin.
: I couldn't get this to happen with Fedora Core 3 on x86. It's possible
: it's some library bug, but I agree it's more likely there's some
: well-masked problem in memory management in zsh.
I get 98 of them built using the provided method before crashing. Then
% zsh -f
% cd /tmp
% for I in {1..98}; cd aaaaaaaaaaaaaaaaaaaa
% pwd | wc
1 1 2063
% setopt chaselinks
% cd /tmp
% for I in {1..98}; cd aaaaaaaaaaaaaaaaaaaa
(gdb) bt
#0 0xbdbcba91 in xsymlink (
s=0x80e80c8 "/tmp/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/aaaaaa"...) at utils.c:395
#1 0xbdbcb701 in findpwd (
s=0x80e80c8 "/tmp/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/", 'a' <repeats 20 times>, "/aaaaaa"...) at utils.c:279
#2 0xbdb7482e in cd_new_pwd (func=10, dir=0x8091ca8) at builtin.c:1107
These two in utils.c:
static char xbuf[PATH_MAX*2];
and
char xbuf2[PATH_MAX*2], ...
are insufficient because the path is over twice the allowed PATH_MAX (1024) on
my machine. I guess there should be some limiters to stop somewhere and obey
PATH_MAX (or some magic number we wish to support).
Regards,
Geoff
Messages sorted by:
Reverse Date,
Date,
Thread,
Author