Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
Re: [BUG] Two vulnerabilities in zsh - #1 :: null dereference in check_colon_subscript in subst.c
- X-seq: zsh-workers 45861
- From: Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx>
- To: Aaron Esau <arinerron@xxxxxxxxxxxxxx>
- Subject: Re: [BUG] Two vulnerabilities in zsh - #1 :: null dereference in check_colon_subscript in subst.c
- Date: Wed, 20 May 2020 00:40:15 +0000
- Cc: "zsh-workers@xxxxxxx" <zsh-workers@xxxxxxx>, Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx>
- In-reply-to: <wUyJbXo1lRhl4AYZR5ZuGgFNdYiAV1WPC7o0DRLgCliFUJuAePd3VZ2mcVzBKNW1nvmFCZMU6nd2jJ2gN2e02ioHUgzfAOjPzVUHXufMEIo=@protonmail.com>
- List-help: <mailto:zsh-workers-help@zsh.org>
- List-id: Zsh Workers List <zsh-workers.zsh.org>
- List-post: <mailto:zsh-workers@zsh.org>
- List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
- Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
- References: <wUyJbXo1lRhl4AYZR5ZuGgFNdYiAV1WPC7o0DRLgCliFUJuAePd3VZ2mcVzBKNW1nvmFCZMU6nd2jJ2gN2e02ioHUgzfAOjPzVUHXufMEIo=@protonmail.com>
Aaron Esau wrote on Tue, 19 May 2020 06:48 +0000:
> The following code in check_colon_subscript in subst.c checks if the value at a pointer obtained from a call to parse_subscript is NULL:
>
> *endp = parse_subscript(str, 0, ':');
> if (!*endp) {
> /* No trailing colon? */
> *endp = parse_subscript(str, 0, '\0');
> if (!*endp)
> return NULL;
> }
>
> However, the pointer itself can be NULL. [...]
>
> ## Patch
>
> diff --git Src/subst.c Src/subst.c
> index 90b5fc121..ac12c6d0e 100644
> --- Src/subst.c
> +++ Src/subst.c
> @@ -1571,10 +1571,10 @@ check_colon_subscript(char *str, char **endp)
> }
>
Your MUA corrupted the patch by munging the trailing whitespace.
You generated the patch without the a/ and b/ prefixes. I tried this
once but discovered (to my dismay) that «git apply» doesn't apply such
patches by default. How do you deal with that?
> *endp = parse_subscript(str, 0, ':');
> - if (!*endp) {
> + if (endp && !*endp) {
> /* No trailing colon? */
> *endp = parse_subscript(str, 0, '\0');
> - if (!*endp)
> + if (endp && !*endp)
> return NULL;
> }
> sav = **endp;
endp has already been dereferenced by the time you have it tested for
NULL. Thus, this patch is a no-op. In fact, you'll probably find the
(optimized) object code generated for this snippet is not changed by
applying this patch. If this patch changes the behaviour at all, that'd
be a compiler bug.
Besides, all callers pass non-NULL values for endp.
Did you post the correct patch?
Daniel
Messages sorted by:
Reverse Date,
Date,
Thread,
Author