From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 22500 invoked by alias); 6 Oct 2014 14:35:19 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 33367 Received: (qmail 14582 invoked from network); 6 Oct 2014 14:35:15 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham version=3.3.2 Date: Mon, 6 Oct 2014 16:24:34 +0200 From: Axel Beckert To: zsh-workers@zsh.org Subject: Re: Buffer overflow with long fd numbers in redirects Message-ID: <20141006142434.GC5405@sym.noone.org> Mail-Followup-To: zsh-workers@zsh.org References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Operating-System: Linux 3.2.0-4-amd64 X-Machine: sym2 x86_64 X-Editor: GNU Emacs 23.4.1 Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAAAAAC3mUtaAAAABGdBTUEAALGPC/xhBQAAADh0RVh0U29mdHdhcmUAWFYgVmVyc2lvbiAzLjEwYSAgUmV2OiAxMi8yOS85NCAoUE5HIHBhdGNoIDEuMindFS5JAAACGElEQVQ4jXXQMU8UYRDG8f8shNjdDH4AbpfGDjAWlKiJiZ0ajL1aGCvsNCbGaCGG1koLaztaTYz6ATy+gOyehYmF3MxVxgg3FnDsHcTpJr/M+8w7Rf6nCsaVTTDqxbg9hoOXmw83H71+Eyfg4E1d7/Z2fG9rGkZbTQiu+K+3U/C+76lmkvAhJuDndnoAiftou4V84okAGclop4U/jYACZDTxrYWP0gkxVfAm/W//GLZpxIzwIN0Hn8dw0B+IWkZmQmRsj2HfhwokEklHfNCCiQCRgAR7YyhQVRVTCKCzP4Y5zBBE0t0zY3Q8oQaBqqAMlVEcgVQd9706zGirAFium8HXumlMIeMwqQCInju+2+uB6MRENupdpMt8pRlHZyuAW0F+Mb6XSIVqtxjD+iVmVqqystLEzFTGT92YqRaXpNT5eTVjeJhbALPnrTxLUZUKZsgxcNm64hAOYisT/xhF+oKTGU5RegtC3Rt6eEDi/QnIevdTx9Md2EMmYBRmCQR1026FCGQQJJExsRUqgkMGaWSbwYLnoO4T6VgpbQbdELPMBAHWWrhYrcxXnYgAsatPWygkFCBD4K62MAsOTqA6szYRPpsu6e6Y8mPiVrBMNuGIMrgwBUu4p2DgG1Ownu6hpuTv7hScefHAzAC/yRRw5U5pALMbJ4AUALvHSZhxgHPXTsHcdWD1GadAHr9avP+c0wCr7263Df8ASLwXWHWs+KIAAAAHdElNRQfYBQEBODPr Organization: DeuxChevaux.org -- The =?iso-8859-1?Q?Citr?= =?iso-8859-1?B?b+tu?= 2CV Database User-Agent: Mutt/1.5.21 (2010-09-15) Hi, On Mon, Oct 06, 2014 at 04:00:44PM +0200, Mikael Magnusson wrote: > Someone reported this on IRC the other day, > % >&333333333333333333333 > zsh: number truncated after 20 digits: 333333333333333333333 > *** buffer overflow detected ***: zsh terminated > > At least one place where this is mishandled is in exec.c around line 3215, I can reproduce this in 5.0.6. But I can't reproduce this in 4.3.17 as in Debian Wheezy. There it looks exactly like this: > Output with the patch, > % >&333333333333333333333 > zsh: number truncated after 20 digits: 333333333333333333333 > zsh: 553997653: bad file descriptor !518 Z7 ?0 L2 abe@snidget:~ (pts/40 zsh 4.3.17 wheezy) 16:22:44 ~ → echo $ZSH_VERSION 4.3.17 !518 Z7 ?0 L2 abe@snidget:~ (pts/40 zsh 4.3.17 wheezy) 16:22:44 ~ → >&333333333333333333333 zsh: number truncated after 20 digits: 333333333333333333333 zsh: 553997653: bad file descriptor !519 Z8 ?1 L2 abe@snidget:~ (pts/40 zsh 4.3.17 wheezy) 16:22:50 ~ → So this issue probably crept in somewhen between 4.3.17 and 5.0.6. Kind regards, Axel -- /~\ Plain Text Ribbon Campaign | Axel Beckert \ / Say No to HTML in E-Mail and News | abe@deuxchevaux.org (Mail) X See http://www.nonhtmlmail.org/campaign.html | abe@noone.org (Mail+Jabber) / \ I love long mails: http://email.is-not-s.ms/ | http://noone.org/abe/ (Web)