Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: Zsh - Multiple DoS Vulnerabilities



On Tue, 2019-05-14 at 22:30 +0200, Oliver Kiddle wrote:
> I'm finding this one will crash on Linux but hang on FreeBSD. And not
> crash with true as the condition. A variety of things can be used in the
> condition. while .. do .. done can be used in place of if .. then .. fi,
> && or ||. The me > you part can be cut down to :. Try the following:
> 
>   if [[ m -eq y ]]; then
>     : && !
>     :
>   fi
> 
> Where I had a crash, it was interpreting the wordcode in ecgetstr().
> Where it does r = s->strs + (c >> 2), c had an infeasibly large value
> causing it to index well beyond the range of s->strs. I'd be inclined to
> suspect the problem comes earlier when parsing this into wordcode.

I'm starting to wonder if this is an allocation rather than a parsing
problem --- the parsing is OK but something goes wrong with the final
pointer / afterwards / in building or copying the word code, so
that gettext2() or the exec code ends up trying to interpret garbage at
the end.

pws



Messages sorted by: Reverse Date, Date, Thread, Author