* Segfault due short overflow in hist.c
@ 2023-02-12 9:46 donoban
0 siblings, 0 replies; only message in thread
From: donoban @ 2023-02-12 9:46 UTC (permalink / raw)
To: zsh-workers
Hi,
I noticed that after expanding a big directory with 'rm -fr *' I could
crash zsh in a reproducible way. Here is the backtrace from gdb:
(gdb) bt
#0 0x00005555555aa8be in hend (prog=prog@entry=0x7ffff7a5fbc8) at
hist.c:1578
#1 0x00005555555ab08f in loop (justonce=<optimized out>,
toplevel=<optimized out>) at init.c:170
#2 0x00005555555afacf in zsh_main (argc=<optimized out>,
argv=<optimized out>) at init.c:1794
#3 0x00007ffff7f809ca in libc_start_main_stage2 (main=0x55555556ad90
<main>, argc=1, argv=0x7fffffffe8c8) at src/env/__libc_start_main.c:95
#4 0x000055555556adab in _start ()
It seems that *chwords overflows with long enough strings so then it
tries to access a negative index in chline[].
I'm not sure of how it should it be properly fixed without breaking any
parts. Probably chwords should be a different type like size_t, but also
it needs some check for the next overflow scenario.
Best Regards!
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-02-12 9:47 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-12 9:46 Segfault due short overflow in hist.c donoban
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).