From: Kamil Dudka <kdudka@redhat.com>
To: Oliver Kiddle <okiddle@yahoo.co.uk>
Cc: zsh-workers@zsh.org
Subject: Re: PATCH: spelling correction buffer overflow
Date: Wed, 28 Mar 2018 13:20:56 +0200 [thread overview]
Message-ID: <2328442.7oMNVitVLA@kdudka-nb> (raw)
In-Reply-To: <52497193.Jvz9bWjiNL@kdudka-nb>
On Tuesday, March 27, 2018 11:55:50 PM CEST Kamil Dudka wrote:
> On Tuesday, March 27, 2018 12:39:55 AM CEST Oliver Kiddle wrote:
> > In utils.c:spname(), there's no checking on newname[] for overflows in
> > two out the of three places where it is appended to.
>
> Thanks! After applying this patch, zsh does not crash any more while
> trying to correct an overly long command.
I spotted that this patch introduced new compiler warnings:
Src/utils.c:4430:26: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
# return (new - newname) >= (sizeof(newname)-1) ? NULL : newname;
# ^
Src/utils.c:4438:26: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
# if ((new - newname) >= (sizeof(newname)-1))
# ^
The full report is available at:
https://travis-ci.org/kdudka/zsh/builds/359289437#L2837
Should we cast RHS of the >= operator to ssize_t or ptrdiff_t to avoid them?
> Kamil
>
> > returning NULL appears to abort the command-line rather than aborting
> > only correction which is perhaps not ideal but the aim here is not to
> > corrupt other bits of memory.
> >
> > This also tweaks the struncpy() function I updated in the earlier patch.
> >
> > Oliver
> >
> > diff --git a/Src/utils.c b/Src/utils.c
> > index 998b16220..9ea34ab54 100644
> > --- a/Src/utils.c
> > +++ b/Src/utils.c
> > @@ -2283,7 +2283,8 @@ struncpy(char **s, char *t, int n)
> >
> > {
> >
> > char *u = *s;
> >
> > - while (n-- && (*u++ = *t++));
> > + while (n-- && (*u = *t++))
> > + u++;
> >
> > *s = u;
> > if (n > 0) /* just one null-byte will do, unlike strncpy(3) */
> >
> > *u = '\0';
> >
> > @@ -4420,17 +4421,20 @@ spname(char *oldname)
> >
> > * odd to the human reader, and we may make use of the total *
> > * distance for all corrections at some point in the future. */
> >
> > if (bestdist < maxthresh) {
> >
> > - strcpy(new, spnameguess);
> > - strcat(new, old);
> > - return newname;
> > + struncpy(&new, spnameguess, sizeof(newname) - (new - newname));
> > + struncpy(&new, old, sizeof(newname) - (new - newname));
> > + return (new - newname) >= (sizeof(newname)-1) ? NULL : newname;
> >
> > } else
> >
> > return NULL;
> >
> > } else {
> >
> > maxthresh = bestdist + thresh;
> > bestdist += thisdist;
> >
> > }
> >
> > - for (p = spnamebest; (*new = *p++);)
> > + for (p = spnamebest; (*new = *p++);) {
> > + if ((new - newname) >= (sizeof(newname)-1))
> > + return NULL;
> >
> > new++;
> >
> > + }
> >
> > }
> >
> > }
next prev parent reply other threads:[~2018-03-28 11:20 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-26 22:39 Oliver Kiddle
2018-03-27 21:55 ` Kamil Dudka
2018-03-27 23:10 ` Bart Schaefer
2018-03-28 8:01 ` Kamil Dudka
2018-03-28 11:20 ` Kamil Dudka [this message]
2018-03-28 14:07 ` Oliver Kiddle
2018-03-29 8:42 ` Kamil Dudka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2328442.7oMNVitVLA@kdudka-nb \
--to=kdudka@redhat.com \
--cc=okiddle@yahoo.co.uk \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).