Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
Re: zsh 5.0.5-dev-2
On Sun, Aug 17, 2014 at 10:30:30AM -0700, Bart Schaefer wrote:
> On Aug 16, 8:35am, Han Pingtian wrote:
> }
> } I have tried PATH_MAX*3 and PATH_MAX*3 - 1, they both can fix the
> } buffer overflow here. I also tried PATH_MAX*2 + 1/2/3, they don't
> } fix this problem.
>
> I suspect Fortify is reporting a potential error rather than a real
> one, because we'd presumably have seen other problems before this if
> "cd .." actually caused an 8kb buffer on the stack to overflow.
>
> The whole symlink-chasing code is probably ripe to be rewritten with
> zsh-heap (or even malloc + static pointers) allocation unless we have
> reason to beleive that's a serious performance issue.
>
> For the nonce I'll just commit xbuf2[PATH_MAX*3].
FYI.
I have tried to print the length of xbuf and *pp before the sprintf(). Looks
like when overflow being triggered, the length of xbuf is 8188, and the
length of *pp is 10.
After changing xbuf2's length to PATH_MAX*3, the result is the same:
when zsh print
zsh: path expansion failed, using root directory
the length of xbuf is 8188 and length of *pp is 10.
All the tests was performed on top of 2be0d8bdef401b6bca0c80a7bd78d658e862e38e,
I haven't yet merged your new commit.
Thanks.
Messages sorted by:
Reverse Date,
Date,
Thread,
Author