Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Integer overflow during brace expansion

X-seq: zsh-workers 30278
From: Mikael Magnusson <mikachu@xxxxxxxxx>
To: Leon Weber <leon@xxxxxxxxxxxx>
Subject: Re: Integer overflow during brace expansion
Date: Mon, 27 Feb 2012 17:52:02 +0100
Authentication-results: mr.google.com; spf=pass (google.com: domain of mikachu@xxxxxxxxx designates 10.182.1.40 as permitted sender) smtp.mail=mikachu@xxxxxxxxx; dkim=pass header.i=mikachu@xxxxxxxxx
Cc: zsh-workers@xxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JBSIrY7HFEWRIGvkARnc4j03Dbm2VUaWAuG6Ltn8F+o=; b=x49UQudR+kXDeoGxsuCOalZmj2N1xm2siEN1mw01hAmwj9zmBsWvvNZ78rl12NlYOC lnuH8Z57Gvmb+OYqRbaumJcDFKIxnZxGW7F3AcdkNg2uI44t7kKbX3eLftIhaazmFMCW G8yqoB5Zh3xyxMbMZ+D7B2xyWhJdcR1AnsSAA=
In-reply-to: <20120227162251.GA17559@zaphod.q-ix.net>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <20120227162251.GA17559@zaphod.q-ix.net>

On 27 February 2012 17:22, Leon Weber <leon@xxxxxxxxxxxx> wrote:
> Hi,
>
> When parsing and expanding 'dotdot' type brace expressions (e.g. {1..3}),
> zsh can encounter integer overflows because the range start and end
> values are stored in two integers without proper bounds checking
> (rstart and rend in glob.c:2092). Particularly,
> this happens when one of the range boundaries is <=-2147483648
> or >=2147483648, like in this example:
>
>> zsh% echo {-2147483648..-2147483646}
>
> This will cause zsh to eat up 100% CPU iterating through the loop declared
> in line 2147 in glob.c. In that loop, rend is decreased until it underflows.
> In the third and fourth iterations, we have these conditions:
[snippysnip]
> This gdb output clearly shows that rend has underflown and is now at the
> far positive end of the valid integer values. zsh will keep iterating
> over that loop and decreasing rend for a really long time.
>
> For comparison, a bash shell handles this correctly:
>
>> bash$ echo {-2147483648..-2147483646}
>> -2147483648 -2147483647 -2147483646

$ echo {-2147483648..2147483646}
zsh: segmentation fault  bash
and if you do this
$ echo {0..214783646}^C
it doesn't free the allocated memory until you exit the shell :).

(Of course, just for comparison. In zsh you can't even abort the
process with ctrl-c ;).)

The fix is fairly simple, just change the types involved to zlong. A
problem is that sprintf is used to convert the generated numbers back
to a string, and zlong can be an int or a long, but I forgot if we
have a modifier macro that expands to the correct thing. I remember
asking about it before (and possibly saying I would look in to fixing
it), but at the moment I don't remember what the result was.

With hardcoding it to %ld though, we get
% echo {-121474853646..-121474853650..2}
{-121474853660..-121474853646..3}
-121474853646 -121474853648 -121474853650 -121474853660 -121474853657
-121474853654 -121474853651 -121474853648

-- 
Mikael Magnusson

Follow-Ups:
- Re: Integer overflow during brace expansion
  - From: Mikael Magnusson

References:
- Integer overflow during brace expansion
  - From: Leon Weber

Messages sorted by: Reverse Date, Date, Thread, Author