Segfault due short overflow in hist.c

zsh-workers
 help / color / mirror / code / Atom feed

* Segfault due short overflow in hist.c
@ 2023-02-12  9:46 donoban
  0 siblings, 0 replies; only message in thread
From: donoban @ 2023-02-12  9:46 UTC (permalink / raw)
  To: zsh-workers

Hi,

I noticed that after expanding a big directory with 'rm -fr *' I could
crash zsh in a reproducible way. Here is the backtrace from gdb:

(gdb) bt
#0  0x00005555555aa8be in hend (prog=prog@entry=0x7ffff7a5fbc8) at
hist.c:1578
#1  0x00005555555ab08f in loop (justonce=<optimized out>,
toplevel=<optimized out>) at init.c:170
#2  0x00005555555afacf in zsh_main (argc=<optimized out>,
argv=<optimized out>) at init.c:1794
#3  0x00007ffff7f809ca in libc_start_main_stage2 (main=0x55555556ad90
<main>, argc=1, argv=0x7fffffffe8c8) at src/env/__libc_start_main.c:95
#4  0x000055555556adab in _start ()

It seems that *chwords overflows with long enough strings so then it
tries to access a negative index in chline[].

I'm not sure of how it should it be properly fixed without breaking any
parts. Probably chwords should be a different type like size_t, but also
it needs some check for the next overflow scenario.

Best Regards!

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2023-02-12  9:47 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-12  9:46 Segfault due short overflow in hist.c donoban

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).