From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 27359 invoked from network); 20 May 2020 00:41:14 -0000 Received: from ns1.primenet.com.au (HELO primenet.com.au) (203.24.36.2) by inbox.vuxu.org with ESMTPUTF8; 20 May 2020 00:41:14 -0000 Received: (qmail 13693 invoked by alias); 20 May 2020 00:41:05 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 45861 Received: (qmail 23994 invoked by uid 1010); 20 May 2020 00:41:05 -0000 X-Qmail-Scanner-Diagnostics: from wout2-smtp.messagingengine.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.102.3/25814. spamassassin: 3.4.4. Clear:RC:0(64.147.123.25):SA:0(-2.6/5.0):. Processed in 8.369909 secs); 20 May 2020 00:41:05 -0000 X-Envelope-From: d.s@daniel.shahaf.name X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: none (ns1.primenet.com.au: domain at daniel.shahaf.name does not designate permitted sender hosts) X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedruddtkedgfeeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfgjfhfogggtgfesthhqtddtredtjeenucfhrhhomhepffgrnhhi vghlucfuhhgrhhgrfhcuoegurdhssegurghnihgvlhdrshhhrghhrghfrdhnrghmvgeqne cuggftrfgrthhtvghrnhephfdtteefheevuedthedutdeifeegteettdejtdffheduieei jeelteetkeduteehnecukfhppeejledrudejjedrudefgedrfeenucevlhhushhtvghruf hiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegurdhssegurghnihgvlhdrshhh rghhrghfrdhnrghmvg X-ME-Proxy: Date: Wed, 20 May 2020 00:40:15 +0000 From: Daniel Shahaf To: Aaron Esau Cc: "zsh-workers@zsh.org" , Peter Stephenson Subject: Re: [BUG] Two vulnerabilities in zsh - #1 :: null dereference in check_colon_subscript in subst.c Message-ID: <20200520004015.1689d22b@tarpaulin.shahaf.local2> In-Reply-To: References: X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Aaron Esau wrote on Tue, 19 May 2020 06:48 +0000: > The following code in check_colon_subscript in subst.c checks if the valu= e at a pointer obtained from a call to parse_subscript is NULL: >=20 > *endp =3D parse_subscript(str, 0, ':'); > if (!*endp) { > /* No trailing colon? */ > *endp =3D parse_subscript(str, 0, '\0'); > if (!*endp) > return NULL; > } =20 >=20 > However, the pointer itself can be NULL. [...] >=20 > ## Patch >=20 > diff --git Src/subst.c Src/subst.c > index 90b5fc121..ac12c6d0e 100644 > --- Src/subst.c > +++ Src/subst.c > @@ -1571,10 +1571,10 @@ check_colon_subscript(char *str, char **endp) > } =20 >=20 Your MUA corrupted the patch by munging the trailing whitespace. You generated the patch without the a/ and b/ prefixes. I tried this once but discovered (to my dismay) that =C2=ABgit apply=C2=BB doesn't apply= such patches by default. How do you deal with that? > *endp =3D parse_subscript(str, 0, ':'); > - if (!*endp) { > + if (endp && !*endp) { > /* No trailing colon? */ > *endp =3D parse_subscript(str, 0, '\0'); > - if (!*endp) > + if (endp && !*endp) > return NULL; > } =20 > sav =3D **endp; endp has already been dereferenced by the time you have it tested for NULL. Thus, this patch is a no-op. In fact, you'll probably find the (optimized) object code generated for this snippet is not changed by applying this patch. If this patch changes the behaviour at all, that'd be a compiler bug. Besides, all callers pass non-NULL values for endp. Did you post the correct patch? Daniel