From: Bart Schaefer <schaefer@brasslantern.com>
To: zsh-workers@zsh.org
Subject: Re: zsh 5.0.5-dev-2
Date: Fri, 15 Aug 2014 10:17:01 -0700 [thread overview]
Message-ID: <140815101701.ZM5288@torch.brasslantern.com> (raw)
In-Reply-To: <20140815112316.GA17063@localhost.localdomain>
On Aug 15, 7:23pm, Han Pingtian wrote:
} Subject: Re: zsh 5.0.5-dev-2
}
} Hi,
}
} Looks like on the 747 line of Src/utils.c:
}
} 747 sprintf(xbuf2, "%s/%s", xbuf, *pp);
}
} The "cd .." will trigger a buffer overflow if I compile zsh with
} -D FORTIFY_SOURCE=2 . Shall we return -1 here if it will overflow xbuf2?
I think Fortify errors because xbuf2 and xbuf are the same size and
the sprintf format is appending at least one character. In practice
there would have to be a path segment PATH_MAX bytes long followed by
a file (directory) name at least PATH_MAX bytes long, which ought to
be impossible if the file system is well-behaved; in any other case
the readlink() will already have failed on the previous segment and
it already has either generated a partial expansion or returned -1.
If we're really worried about this, I think the solution would be to make
xbuf2 larger, e.g., PATH_MAX*3 or something. Does the fortify error go
away if you increase the size of xbuf2?
next prev parent reply other threads:[~2014-08-15 17:16 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-12 20:29 Peter Stephenson
2014-08-12 22:36 ` Axel Beckert
2014-08-13 14:04 ` zsh 5.0.5-dev-2 / Occassional hangs on Test/A05execution.ztst Axel Beckert
2014-08-13 19:08 ` Bart Schaefer
2014-08-14 8:48 ` Axel Beckert
2014-08-14 8:50 ` Peter Stephenson
2014-08-14 16:25 ` Bart Schaefer
2014-08-14 16:31 ` Axel Beckert
2014-08-14 17:34 ` Axel Beckert
2014-08-15 4:50 ` Bart Schaefer
2014-08-15 9:32 ` Axel Beckert
2014-08-15 17:33 ` Bart Schaefer
2014-08-15 19:42 ` Axel Beckert
2014-08-16 18:12 ` zsh 5.0.5/6 Peter Stephenson
2014-08-13 17:28 ` zsh 5.0.5-dev-2 Dominic Hopf
2014-08-13 22:34 ` Oliver Kiddle
2014-08-14 8:34 ` Peter Stephenson
2014-08-14 9:32 ` Peter Stephenson
2014-08-14 16:20 ` Bart Schaefer
2014-08-14 19:54 ` Peter Stephenson
2014-08-15 4:44 ` Bart Schaefer
2014-08-15 8:38 ` Peter Stephenson
2014-08-15 11:23 ` Han Pingtian
2014-08-15 17:17 ` Bart Schaefer [this message]
2014-08-16 0:35 ` Han Pingtian
2014-08-17 17:30 ` Bart Schaefer
2014-08-18 2:56 ` Han Pingtian
2014-08-18 6:36 ` Bart Schaefer
2014-08-18 14:02 ` Han Pingtian
2014-08-23 17:51 ` Symlink chasing Peter Stephenson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=140815101701.ZM5288@torch.brasslantern.com \
--to=schaefer@brasslantern.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).