From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 28753 invoked by alias); 6 Oct 2014 15:07:23 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 33370 Received: (qmail 23323 invoked from network); 6 Oct 2014 15:07:20 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 From: Bart Schaefer Message-id: <141006080709.ZM11332@torch.brasslantern.com> Date: Mon, 06 Oct 2014 08:07:09 -0700 In-reply-to: <20141006142434.GC5405@sym.noone.org> Comments: In reply to Axel Beckert "Re: Buffer overflow with long fd numbers in redirects" (Oct 6, 4:24pm) References: <20141006142434.GC5405@sym.noone.org> X-Mailer: OpenZMail Classic (0.9.2 24April2005) To: zsh-workers@zsh.org Subject: Re: Buffer overflow with long fd numbers in redirects MIME-version: 1.0 Content-type: text/plain; charset=us-ascii On Oct 6, 4:24pm, Axel Beckert wrote: } } On Mon, Oct 06, 2014 at 04:00:44PM +0200, Mikael Magnusson wrote: } > Someone reported this on IRC the other day, } > % >&333333333333333333333 } > zsh: number truncated after 20 digits: 333333333333333333333 } > *** buffer overflow detected ***: zsh terminated } > } > At least one place where this is mishandled is in exec.c around line 3215, } } I can reproduce this in 5.0.6. } } But I can't reproduce this in 4.3.17 as in Debian Wheezy. I think that may be a difference in compilation rather than in code, i.e. whether the binary was compiled with FORTIFY_SOURCE defined. The char fdstr[4] has been there since before 1999. DIGBUFSIZ should be used there, as PWS suggested.