Re: Zsh - Multiple DoS Vulnerabilities

[Oliver Kiddle <okiddle@xxxxxxxxxxx>]

> On Fri, May 10, 2019 at 8:04 AM David Wells <bughunters@xxxxxxxxxxx> wrote:
> >     #4 Invalid read from *bin_print *in *builtin.c*
> >     POC folder: *04_bin_print_(builtin.c_5009)*

This seems to be very similar to #6: string to int conversion
overflowing to a negative number. In this case you can reproduce it
with just:
  printf '%4444444444444$'

Note that narg below is of type int despite the use of strtoul(). 

Oliver

diff --git a/Src/builtin.c b/Src/builtin.c
index ca0ce35f5..a8f054c8a 100644
--- a/Src/builtin.c
+++ b/Src/builtin.c
@@ -4990,8 +4990,7 @@ bin_print(char *name, char **args, Options ops, int func)
 	    	narg = strtoul(c, &endptr, 0);
 		if (*endptr == '$') {
 		    c = endptr + 1;
-		    DPUTS(narg <= 0, "specified zero or negative arg");
-		    if (narg > argc) {
+		    if (narg <= 0 || narg > argc) {
 		    	zwarnnam(name, "%d: argument specifier out of range",
 				 narg);
 			if (fout != stdout)