From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id d6f06ebe for ; Tue, 14 May 2019 10:51:42 +0000 (UTC) Received: (qmail 1578 invoked by alias); 14 May 2019 10:51:24 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 44296 Received: (qmail 3845 invoked by uid 1010); 14 May 2019 10:51:24 -0000 X-Qmail-Scanner-Diagnostics: from mailout2.w1.samsung.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.101.2/25447. spamassassin: 3.4.2. Clear:RC:0(210.118.77.12):SA:0(-7.0/5.0):. Processed in 3.520824 secs); 14 May 2019 10:51:24 -0000 X-Envelope-From: p.stephenson@samsung.com X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at _spf.samsung.com designates 210.118.77.12 as permitted sender) DKIM-Filter: OpenDKIM Filter v2.11.0 mailout2.w1.samsung.com 20190514105043euoutp02b8483a7e87dc06b816291dc0f18f2e2b~ehxR1AHd61139011390euoutp02S DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samsung.com; s=mail20170921; t=1557831043; bh=cNSjCyJoSJphbHC/5STJpdGXnBIx5OpeO6FmbJogHiY=; h=Subject:From:To:Date:In-Reply-To:References:From; b=IIwxwz9w9heV0P7SHaO8+Rx9XrdB3OEaZlz1t3K+kMDTNVhzzmiF7iAMU8N7rLSNF i3C7NrpanlpDBCW3WVOvlq/BKp3Kyoo2nfkRpYKvCXryvwrC6zBiCe3zzukHa+rJ9Q 5JpuRl6wLzwI+9k+hHQN1X6wjy5qA0jlp74JBdic= X-AuditID: cbfec7f5-fbbf09c0000010e5-cd-5cda9d82dbf3 Message-ID: <1557831040.4353.10.camel@samsung.com> Subject: Re: #3 typeset and braces (Re: Zsh - Multiple DoS Vulnerabilities) From: Peter Stephenson To: Date: Tue, 14 May 2019 11:50:40 +0100 In-Reply-To: <10142-1557786965.820774@PTYq.v5pM.vFPY> X-Mailer: Evolution 3.18.5.2-0ubuntu3.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrPIsWRmVeSWpSXmKPExsWy7djPc7pNc2/FGGw7zGFxsPkhkwOjx6qD H5gCGKO4bFJSczLLUov07RK4Mjq+/GQr2CJYcXfOKrYGxk6+LkZODgkBE4k1nxrYuxi5OIQE VjBKLGn4wATh9DFJ9GxbDJXpZZJYvuMxM0zLtak/WCESyxklfi7qYoWr2jlnKRuEc4ZRYm3v JmYI5wKjxP0L/UAZDg5eASOJU9M8QUYJC3hLfFj9hRHEZhMwlJi6aTaYLSIgKXGt+TSYzSKg KnH8xi6w1ZwCphKP735mgzhDQ2LDzWNMIDavgKDEyZlPWEBsZgF5ieats8H2Sgg8Z5NYM+kx C0SDi8TilbfYIWxhiVfHt0DZMhL/d85ngmhoZwRqeM0O4fQwSmw6eocRospaou/2RUaQD5gF NCXW79KHCDtKrG64wg4SlhDgk7jxVhDiCD6JSdumM0OEeSU62oQgqtUkdjRtZYQIy0g8XaMw gVFpFpIPZiH5YBbCqgWMzKsYxVNLi3PTU4uN81LL9YoTc4tL89L1kvNzNzECk8Hpf8e/7mDc 9yfpEKMAB6MSD++HhJsxQqyJZcWVuYcYJTiYlUR4oxRvxAjxpiRWVqUW5ccXleakFh9ilOZg URLnrWZ4EC0kkJ5YkpqdmlqQWgSTZeLglGpg3CHAknQhpO/eGrFI78QNP9m23qy5+HTbQ2sz Z/d8MZtXVidFfv+3fSCrLC9cWxC1On4+6yfpGwfTvn4LmDLZP+kr3+Y1nw+x3+t5rB7wVNF5 s4KOWjTb670Z3zl3lu9tarie2MynunnixTUL2Rb8FjzTkeiy76Z/4KT7TAZvvyboh942Lgx8 pMRSnJFoqMVcVJwIAL6HhLgCAwAA X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpikeLIzCtJLcpLzFFi42I5/e/4Pd3GubdiDB72iVgcbH7I5MDoserg B6YAxig9m6L80pJUhYz84hJbpWhDCyM9Q0sLPSMTSz1DY/NYKyNTJX07m5TUnMyy1CJ9uwS9 jI4vP9kKtghW3J2ziq2BsZOvi5GTQ0LAROLa1B+sXYxcHEICSxklln3tZ4ZIyEh8uvKRHcIW lvhzrYsNoqibSeLR/OVQHWcYJfae+8IO4VxglPi3fjtQGQcHr4CRxKlpniDdwgLeEh9Wf2EE sdkEDCWmbpoNZosISEpcaz4NZrMIqEocv7ELbDOngKnE47ufobbNZJKY+H8eK0iCWUBTonX7 b6iTNCQ23DzGBGLzCghKnJz5hAWiRl6ieets5gmMQrOQtMxCUjYLSdkCRuZVjCKppcW56bnF RnrFibnFpXnpesn5uZsYgeG/7djPLTsYu94FH2IU4GBU4uF9EXkzRog1say4MvcQowQHs5II b5TijRgh3pTEyqrUovz4otKc1OJDjKZAH01klhJNzgfGZl5JvKGpobmFpaG5sbmxmYWSOG+H wMEYIYH0xJLU7NTUgtQimD4mDk6pBsYN3loL3E3SPPSlylourT83N7nletzzQ60z5/9uOXt8 0oepF7uunXWR0MxP58kpkmf5InsrWPTTTabHYh0zLy5m4VB/7HyYSTq89t/UhW7yBxfHVM4Q m6gXvmGR78v1j1fOvXiwd0bdJ8dOpZZzVR9cVs61tQ/fHbCxXedGb+CVk1N5y9/1bTRVYinO SDTUYi4qTgQA0cdHmZUCAAA= X-CMS-MailID: 20190514105041eucas1p220e26b0a6c26bdd3290e1d2829360441 X-Msg-Generator: CA Content-Type: text/plain; charset="utf-8" X-RootMTR: 20190513223716epcas1p102812cb4d1f7f3dbed6dcfdc68f75a55 X-EPHeader: CA CMS-TYPE: 201P X-CMS-RootMailID: 20190513223716epcas1p102812cb4d1f7f3dbed6dcfdc68f75a55 References: <10142-1557786965.820774@PTYq.v5pM.vFPY> On Tue, 2019-05-14 at 00:36 +0200, Oliver Kiddle wrote: > On 10 May, Bart wrote: > >  > > >  > > >     #3 Invalid read from *dupstring *in *string.c* > > >     POC folder:  *03_dupstring_(string.c_39)* > > This gives exactly the same errors as #2, and then exits with > >  > > [long ugly filename]:87: parse error near `}' > I've cut this one down to just: >  >   typeset Q= {X} >  > That reliably seg faults for me. But that's about as far as I've > been able to get - I'm not especially familiar with zsh's parsing > code. Stepping through the parsing code when intypeset is set (with the optimiser turned off) made it fairly obvious where it was doing something it shouldn't, and the fix is to adapt code from below to this case...  This is an obscure case we'd be very unlikely to pick up normally. The new parse case isn't actually useful and is bound to fail in the typeset, but the rational solution seems to be let the normal typeset code figure that out the same as if the Q= was missing (which I've also added a test for). pws diff --git a/Src/parse.c b/Src/parse.c index 22e553a16..27234497b 100644 --- a/Src/parse.c +++ b/Src/parse.c @@ -1899,6 +1899,14 @@ par_simple(int *cmplx, int nr)       p += nrediradd;       sr += nrediradd;   } + else if (postassigns) + { +     /* C.f. normal case below */ +     postassigns++; +     ecadd(WCB_ASSIGN(WC_ASSIGN_SCALAR, WC_ASSIGN_INC, 0)); +     ecstr(toksave); +     ecstr(""); /* TBD can possibly optimise out */ + }   else   {       ecstr(toksave); diff --git a/Test/B02typeset.ztst b/Test/B02typeset.ztst index ac86e0ad1..e7bf93794 100644 --- a/Test/B02typeset.ztst +++ b/Test/B02typeset.ztst @@ -1101,3 +1101,10 @@  >export zsh_exported_readonly_scalar=1  >readonly zsh_exported_readonly_array=( 2 )  >readonly zsh_exported_readonly_scalar=1 + +  # The second case was buggy as it needs special handling in postassigns +  (typeset {X}) +  (typeset Q= {X}) +1:Regression test for {...} parsing in typeset +?(eval):typeset:2: not valid in this context: {X} +?(eval):typeset:3: not valid in this context: {X}