From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-33026-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 20132 invoked by alias); 17 Aug 2014 17:30:31 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 33026
Received: (qmail 17536 invoked from network); 17 Aug 2014 17:30:28 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE
	autolearn=ham version=3.3.2
From: Bart Schaefer <schaefer@brasslantern.com>
Message-id: <140817103030.ZM12944@torch.brasslantern.com>
Date: Sun, 17 Aug 2014 10:30:30 -0700
In-reply-to: <20140816003504.GB17063@localhost.localdomain>
Comments: In reply to Han Pingtian <hanpt@linux.vnet.ibm.com>
 "Re: zsh 5.0.5-dev-2" (Aug 16,  8:35am)
References: <20140812212920.67dcb116@pws-pc.ntlworld.com>
	<29575.1407969294@thecus.kiddle.eu>
	<20140814093442.1a74c5b7@pwslap01u.europe.root.pri>
	<20140814103227.74c7d168@pwslap01u.europe.root.pri>
	<140814092045.ZM18007@torch.brasslantern.com>
	<20140814205429.44baf512@pws-pc.ntlworld.com>
	<140814214412.ZM4177@torch.brasslantern.com>
	<20140815112316.GA17063@localhost.localdomain>
	<140815101701.ZM5288@torch.brasslantern.com>
	<20140816003504.GB17063@localhost.localdomain>
X-Mailer: OpenZMail Classic (0.9.2 24April2005)
To: zsh-workers@zsh.org
Subject: Re: zsh 5.0.5-dev-2
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii

On Aug 16,  8:35am, Han Pingtian wrote:
}
} I have tried PATH_MAX*3 and PATH_MAX*3 - 1, they both can fix the
} buffer overflow here. I also tried PATH_MAX*2 + 1/2/3, they don't 
} fix this problem. 

I suspect Fortify is reporting a potential error rather than a real
one, because we'd presumably have seen other problems before this if
"cd .." actually caused an 8kb buffer on the stack to overflow.

The whole symlink-chasing code is probably ripe to be rewritten with
zsh-heap (or even malloc + static pointers) allocation unless we have
reason to beleive that's a serious performance issue.

For the nonce I'll just commit xbuf2[PATH_MAX*3].

-- 
Barton E. Schaefer