Re: Integer overflow during brace expansion

[Mikael Magnusson <mikachu@xxxxxxxxx>]

On 27 February 2012 17:52, Mikael Magnusson <mikachu@xxxxxxxxx> wrote:
> On 27 February 2012 17:22, Leon Weber <leon@xxxxxxxxxxxx> wrote:
>> Hi,
>>
>> When parsing and expanding 'dotdot' type brace expressions (e.g. {1..3}),
>> zsh can encounter integer overflows because the range start and end
>> values are stored in two integers without proper bounds checking
>> (rstart and rend in glob.c:2092). Particularly,
>> this happens when one of the range boundaries is <=-2147483648
>> or >=2147483648, like in this example:
>>
>>> zsh% echo {-2147483648..-2147483646}
>>
>> This will cause zsh to eat up 100% CPU iterating through the loop declared
>> in line 2147 in glob.c. In that loop, rend is decreased until it underflows.
>> In the third and fourth iterations, we have these conditions:
> [snippysnip]
>> This gdb output clearly shows that rend has underflown and is now at the
>> far positive end of the valid integer values. zsh will keep iterating
>> over that loop and decreasing rend for a really long time.
>>
>> For comparison, a bash shell handles this correctly:
>>
>>> bash$ echo {-2147483648..-2147483646}
>>> -2147483648 -2147483647 -2147483646
>
> $ echo {-2147483648..2147483646}
> zsh: segmentation fault  bash
> and if you do this
> $ echo {0..214783646}^C
> it doesn't free the allocated memory until you exit the shell :).
>
> (Of course, just for comparison. In zsh you can't even abort the
> process with ctrl-c ;).)
>
> The fix is fairly simple, just change the types involved to zlong. A
> problem is that sprintf is used to convert the generated numbers back
> to a string, and zlong can be an int or a long, but I forgot if we
> have a modifier macro that expands to the correct thing. I remember
> asking about it before (and possibly saying I would look in to fixing
> it), but at the moment I don't remember what the result was.
>
> With hardcoding it to %ld though, we get
ie, this:

diff --git i/Src/glob.c w/Src/glob.c
index 8f8127c..78b197c 100644
--- i/Src/glob.c
+++ w/Src/glob.c
@@ -2089,7 +2089,8 @@ xpandbraces(LinkList list, LinkNode *np)
 	char *dots, *p, *dots2 = NULL;
 	LinkNode olast = last;
 	/* Get the first number of the range */
-	int rstart = zstrtol(str+1,&dots,10), rend = 0, err = 0, rev = 0, rincr = 1;
+	zlong rstart = zstrtol(str+1,&dots,10), rend = 0;
+	int err = 0, rev = 0, rincr = 1;
 	int wid1 = (dots - str) - 1, wid2 = (str2 - dots) - 2, wid3 = 0;
 	int strp = str - str3;

@@ -2134,7 +2135,7 @@ xpandbraces(LinkList list, LinkNode *np)
 	    }
 	    if (rstart > rend) {
 		/* Handle decreasing ranges correctly. */
-		int rt = rend;
+		zlong rt = rend;
 		rend = rstart;
 		rstart = rt;
 		rev = !rev;
@@ -2147,7 +2148,7 @@ xpandbraces(LinkList list, LinkNode *np)
 	    for (; rend >= rstart; rend -= rincr) {
 		/* Node added in at end, so do highest first */
 		p = dupstring(str3);
-		sprintf(p + strp, "%0*d", minw, rend);
+		sprintf(p + strp, "%0*ld", minw, rend);
 		strcat(p + strp, str2 + 1);
 		insertlinknode(list, last, p);
 		if (rev)	/* decreasing:  add in reverse order. */