From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 23768 invoked by alias); 18 Aug 2014 14:13:06 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 33031 Received: (qmail 17912 invoked from network); 18 Aug 2014 14:13:04 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.2 Date: Mon, 18 Aug 2014 22:02:29 +0800 From: Han Pingtian To: zsh-workers@zsh.org Subject: Re: zsh 5.0.5-dev-2 Message-ID: <20140818140229.GB4198@localhost.localdomain> Mail-Followup-To: zsh-workers@zsh.org References: <20140814103227.74c7d168@pwslap01u.europe.root.pri> <140814092045.ZM18007@torch.brasslantern.com> <20140814205429.44baf512@pws-pc.ntlworld.com> <140814214412.ZM4177@torch.brasslantern.com> <20140815112316.GA17063@localhost.localdomain> <140815101701.ZM5288@torch.brasslantern.com> <20140816003504.GB17063@localhost.localdomain> <140817103030.ZM12944@torch.brasslantern.com> <20140818025620.GA4198@localhost.localdomain> <140817233619.ZM25264@torch.brasslantern.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <140817233619.ZM25264@torch.brasslantern.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 14081814-0928-0000-0000-000004344121 On Sun, Aug 17, 2014 at 11:36:19PM -0700, Bart Schaefer wrote: > On Aug 18, 10:56am, Han Pingtian wrote: > } Subject: Re: zsh 5.0.5-dev-2 > } > } On Sun, Aug 17, 2014 at 10:30:30AM -0700, Bart Schaefer wrote: > } > > } > I suspect Fortify is reporting a potential error rather than a real > } > one, because we'd presumably have seen other problems before this if > } > "cd .." actually caused an 8kb buffer on the stack to overflow. > } > } I have tried to print the length of xbuf and *pp before the sprintf(). > } Looks like when overflow being triggered, the length of xbuf is 8188, > } and the length of *pp is 10. > > I now suspect you've deliberately constructed and (with chaselinks not > set?) cd'd one level down at a time into a path that's at least 8188 > characters long, and then setopt chaselinks and done "cd .." from the > bottom directory in that path. Is that correct? > Sorry for the confusing. I found this problem with this command which comes from 32274: % for i in `seq 1000`; do mkdir 0123456789; cd 0123456789; done; cd .. And the filesystem is tmpfs. I don't set chaselinks, but looks like it will be set within cd_try_chdir(): 1119 if (!chasinglinks) 1120 dochaselinks = fixdir(buf); ... ... 1134 if (dochaselinks) 1135 chasinglinks = 1; then xsymlink() will be called.