Re: zsh 5.0.5-dev-2

[Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>]

On Aug 15,  7:23pm, Han Pingtian wrote:
} Subject: Re: zsh 5.0.5-dev-2
}
} Hi,
} 
} Looks like on the 747 line of Src/utils.c:
} 
} 747         sprintf(xbuf2, "%s/%s", xbuf, *pp);
} 
} The "cd .." will trigger a buffer overflow if I compile zsh with 
} -D FORTIFY_SOURCE=2 . Shall we return -1 here if it will overflow xbuf2?

I think Fortify errors because xbuf2 and xbuf are the same size and
the sprintf format is appending at least one character.  In practice
there would have to be a path segment PATH_MAX bytes long followed by
a file (directory) name at least PATH_MAX bytes long, which ought to
be impossible if the file system is well-behaved; in any other case
the readlink() will already have failed on the previous segment and
it already has either generated a partial expansion or returned -1.

If we're really worried about this, I think the solution would be to make
xbuf2 larger, e.g., PATH_MAX*3 or something.  Does the fortify error go
away if you increase the size of xbuf2?