Hi, When parsing and expanding 'dotdot' type brace expressions (e.g. {1..3}), zsh can encounter integer overflows because the range start and end values are stored in two integers without proper bounds checking (rstart and rend in glob.c:2092). Particularly, this happens when one of the range boundaries is <=-2147483648 or >=2147483648, like in this example: > zsh% echo {-2147483648..-2147483646} This will cause zsh to eat up 100% CPU iterating through the loop declared in line 2147 in glob.c. In that loop, rend is decreased until it underflows. In the third and fourth iterations, we have these conditions: // // third iteration // > Breakpoint 15, xpandbraces (list=0x7ffff7fee340, np=0x7fffffffd460) at glob.c:2149 > 2149 p = dupstring(str3); > (gdb) p rend > $56 = -2147483648 > (gdb) p rstart > $57 = -2147483648 > (gdb) cont > Continuing. // // fourth iteration // > Breakpoint 15, xpandbraces (list=0x7ffff7fee340, np=0x7fffffffd460) at glob.c:2149 > 2149 p = dupstring(str3); > (gdb) p rend > $58 = 2147483647 > (gdb) p rstart > $59 = -2147483648 This gdb output clearly shows that rend has underflown and is now at the far positive end of the valid integer values. zsh will keep iterating over that loop and decreasing rend for a really long time. For comparison, a bash shell handles this correctly: > bash$ echo {-2147483648..-2147483646} > -2147483648 -2147483647 -2147483646 I have been able reproduce this issue on Ubuntu x86_64 and x86 using zsh 4.3.10, 4.3.11, and git revision db7d0ac34143ed2378c2fd98845b2ae5eaaf6bbb. All mentioned line numbers reference to git revision db7d0ac34143ed2378c2fd98845b2ae5eaaf6bbb. Regards, -- Leon. PS: I already posted this on the sourceforge bug tracker before finding out that's not in use. Perhaps it would be good to note this details somewhere visible along with some hints on where to really report bugs, since the sf tracker is the first google hit on 'zsh bugs' and this mailing list doesn't show up anywhere near that.
Attachment:
signature.asc
Description: Digital signature