Re: zsh 5.0.5-dev-2

[Han Pingtian <hanpt@xxxxxxxxxxxxxxxxxx>]

On Fri, Aug 15, 2014 at 10:17:01AM -0700, Bart Schaefer wrote:
> On Aug 15,  7:23pm, Han Pingtian wrote:
> } Subject: Re: zsh 5.0.5-dev-2
> }
> } Hi,
> } 
> } Looks like on the 747 line of Src/utils.c:
> } 
> } 747         sprintf(xbuf2, "%s/%s", xbuf, *pp);
> } 
> } The "cd .." will trigger a buffer overflow if I compile zsh with 
> } -D FORTIFY_SOURCE=2 . Shall we return -1 here if it will overflow xbuf2?
> 
> I think Fortify errors because xbuf2 and xbuf are the same size and
> the sprintf format is appending at least one character.  In practice
> there would have to be a path segment PATH_MAX bytes long followed by
> a file (directory) name at least PATH_MAX bytes long, which ought to
> be impossible if the file system is well-behaved; in any other case
> the readlink() will already have failed on the previous segment and
> it already has either generated a partial expansion or returned -1.
> 
> If we're really worried about this, I think the solution would be to make
> xbuf2 larger, e.g., PATH_MAX*3 or something.  Does the fortify error go
> away if you increase the size of xbuf2?

I have tried PATH_MAX*3 and PATH_MAX*3 - 1, they both can fix the
buffer overflow here. I also tried PATH_MAX*2 + 1/2/3, they don't 
fix this problem.