zsh-workers
 help / color / mirror / code / Atom feed
From: Peter Stephenson <p.stephenson@samsung.com>
To: <zsh-workers@zsh.org>
Subject: Re: #3 typeset and braces (Re: Zsh - Multiple DoS Vulnerabilities)
Date: Tue, 14 May 2019 11:50:40 +0100	[thread overview]
Message-ID: <1557831040.4353.10.camel@samsung.com> (raw)
In-Reply-To: <10142-1557786965.820774@PTYq.v5pM.vFPY>

On Tue, 2019-05-14 at 00:36 +0200, Oliver Kiddle wrote:
> On 10 May, Bart wrote:
> > 
> > > 
> > >     #3 Invalid read from *dupstring *in *string.c*
> > >     POC folder:  *03_dupstring_(string.c_39)*
> > This gives exactly the same errors as #2, and then exits with
> > 
> > [long ugly filename]:87: parse error near `}'
> I've cut this one down to just:
> 
>   typeset Q= {X}
> 
> That reliably seg faults for me. But that's about as far as I've
> been able to get - I'm not especially familiar with zsh's parsing
> code.

Stepping through the parsing code when intypeset is set (with the
optimiser turned off) made it fairly obvious where it was doing
something it shouldn't, and the fix is to adapt code from below to this
case...  This is an obscure case we'd be very unlikely to pick up
normally.

The new parse case isn't actually useful and is bound to fail in the
typeset, but the rational solution seems to be let the normal typeset
code figure that out the same as if the Q= was missing (which I've also
added a test for).

pws

diff --git a/Src/parse.c b/Src/parse.c
index 22e553a16..27234497b 100644
--- a/Src/parse.c
+++ b/Src/parse.c
@@ -1899,6 +1899,14 @@ par_simple(int *cmplx, int nr)
 			    p += nrediradd;
 			    sr += nrediradd;
 			}
+			else if (postassigns)
+			{
+			    /* C.f. normal case below */
+			    postassigns++;
+			    ecadd(WCB_ASSIGN(WC_ASSIGN_SCALAR, WC_ASSIGN_INC, 0));
+			    ecstr(toksave);
+			    ecstr("");	/* TBD can possibly optimise out */
+			}
 			else
 			{
 			    ecstr(toksave);
diff --git a/Test/B02typeset.ztst b/Test/B02typeset.ztst
index ac86e0ad1..e7bf93794 100644
--- a/Test/B02typeset.ztst
+++ b/Test/B02typeset.ztst
@@ -1101,3 +1101,10 @@
 >export zsh_exported_readonly_scalar=1
 >readonly zsh_exported_readonly_array=( 2 )
 >readonly zsh_exported_readonly_scalar=1
+
+  # The second case was buggy as it needs special handling in postassigns
+  (typeset {X})
+  (typeset Q= {X})
+1:Regression test for {...} parsing in typeset
+?(eval):typeset:2: not valid in this context: {X}
+?(eval):typeset:3: not valid in this context: {X}


  parent reply	other threads:[~2019-05-14 10:51 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-10 15:03 Zsh - Multiple DoS Vulnerabilities David Wells
2019-05-10 16:37 ` Bart Schaefer
2019-05-12 16:21   ` Stephane Chazelas
2019-05-13 16:29     ` David Wells
2019-05-13 22:02       ` Bart Schaefer
2019-05-14 18:10       ` Stephane Chazelas
2019-05-14 21:24         ` Daniel Shahaf
2019-05-14 21:38           ` Bart Schaefer
2019-05-14 21:39         ` Daniel Shahaf
2019-05-14 22:25           ` Bart Schaefer
2019-05-15 10:48             ` Daniel Shahaf
2019-05-31 12:05     ` [PATCH] [doc] [repost] warnings about restricted shell (Was: Zsh - Multiple DoS Vulnerabilities) Stephane Chazelas
2019-06-03  9:35       ` Peter Stephenson
2019-06-04  2:39       ` dana
2019-06-04  7:34         ` dana
2019-05-10 20:27 ` Zsh - Multiple DoS Vulnerabilities Bart Schaefer
2019-05-11  1:45   ` #7 (typeset -Tp) (was Re: Zsh - Multiple DoS Vulnerabilities) Oliver Kiddle
2019-05-13  9:01     ` Peter Stephenson
2019-05-13 21:11   ` PATCH: #6 negative job id (Re: " Oliver Kiddle
2019-05-13 21:44   ` Zsh - Multiple DoS Vulnerabilities Oliver Kiddle
2019-05-13 22:36   ` #3 typeset and braces (Re: Zsh - Multiple DoS Vulnerabilities) Oliver Kiddle
2019-05-14  0:13     ` Mikael Magnusson
2019-05-14  5:38       ` Bart Schaefer
2019-05-14 10:50     ` Peter Stephenson [this message]
2019-05-14 16:38   ` Zsh - Multiple DoS Vulnerabilities Peter Stephenson
2019-05-14 20:30   ` Oliver Kiddle
2019-05-15 16:50     ` Mikael Magnusson
2019-05-16 20:37     ` Peter Stephenson
2019-05-17 13:41       ` Mikael Magnusson
2019-05-17 13:51         ` Mikael Magnusson
2019-05-17 14:28           ` Mikael Magnusson
2019-05-18 10:31           ` Oliver Kiddle
2019-05-21 14:43             ` Oliver Kiddle
     [not found]               ` <CGME20190521154256eucas1p1f0816d2467abd8bf4a0c31058af2983a@eucas1p1.samsung.com>
2019-05-21 15:42                 ` Peter Stephenson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1557831040.4353.10.camel@samsung.com \
    --to=p.stephenson@samsung.com \
    --cc=zsh-workers@zsh.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).