Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Buffer overflow in "!" handling?

X-seq: zsh-workers 26601
From: DragonK <dragonk@xxxxxxxxx>
To: zsh-workers@xxxxxxxxxx
Subject: Buffer overflow in "!" handling?
Date: Wed, 25 Feb 2009 11:42:50 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=CU14r+bqmwj+4akyzQ4xuUnVrvW3P7aYj9h9EyxuuZw=; b=rBeqXzoZ6qAKWgg+tVaToeXSLUr6+U4T0i5F5MQ2SagbvCcdwN2MV+VZ1SwtwN9FdC 2Pm/3a9UJAgSB44ljrOVOxStAR+T4RfKbAGg/h0HrML3vGGDY21j73tjWNSPEID393XQ WfIpdz/eGkk7zvxfoO0u3aLely0zmVhYWCuPE=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=DwF7wUtnidxZSkjCKldiTvc7gJPnPDSZIK/MYyajxP3kbmM9qZL0XfQcwMrwTTwrZD Iu+nhuwlvARVI4gKSNZvrgbHUQyVWMY/zuBbz/MSkfdNBvek/Ph5sBYBgWSckiAvWKbm mZ5cBLrimcRKTh28ok7DX8dfE6PztzZ9HsgfQ=
Mailing-list: contact zsh-workers-help@xxxxxxxxxx; run by ezmlm

Hello,

I've stumbled upon a buffer overflow in zsh 4.3.9 (and 4.3.6) related
to the handling of the "!" character in the command line (Linux).

It's triggerable by typing "!AAAAAAAAA...A" (lots of A's) at the zsh
prompt (works better if zsh is compiled with stack protection,
otherwise a lot of A's are needed :) ).

A quick look at the code indicates the problem to be in hist.c,
function histsubchar(), where buf[256] is getting overflowed (*ptr is
used to write to the buffer, but no check is made to see if ptr passed
the end of buf).  I might be wrong though, I only took a couple of
minutes to look at the code.

Follow-Ups:
- Re: Buffer overflow in "!" handling?
  - From: Peter Stephenson

Messages sorted by: Reverse Date, Date, Thread, Author