From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,MALFORMED_FREEMAIL, RCVD_IN_DNSWL_NONE autolearn=no autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 37d90505 for ; Sat, 11 May 2019 01:46:41 +0000 (UTC) Received: (qmail 18009 invoked by alias); 11 May 2019 01:46:28 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 44284 Received: (qmail 10146 invoked by uid 1010); 11 May 2019 01:46:28 -0000 X-Qmail-Scanner-Diagnostics: from park01.gkg.net by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.101.2/25440. spamassassin: 3.4.2. Clear:RC:0(205.235.26.22):SA:0(-1.6/5.0):. Processed in 1.766566 secs); 11 May 2019 01:46:28 -0000 X-Envelope-From: SRS0=8hok=TL=yahoo.co.uk=okiddle@bounces.park01.gkg.net X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at bounces.park01.gkg.net designates 205.235.26.22 as permitted sender) X-Virus-Scanned: by amavisd-new at gkg.net Authentication-Results: amavisd4.gkg.net (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.co.uk X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s2048; t=1557539129; bh=esU0JNibng8G3CzOjc3KCReZv3Pzm3W8U63D+YQC8Wg=; h=From:References:To:Subject:Date:From:Subject; b=e2G8vNhFxVf3qUrEXBgWF05igEv98C9Suqa5q2P+jSbz+voT0DXiKgFrBAm1AtANXkec7Ef5n4egpcDS1Yg+c8xcR7ghcRQFRaD5GSY6Ps/C3i+dNvzGjuUhwEkNFjggQVaLMWmIfIz2ftysBCBmBly2kC3V+krf2zbtM8ZZPiRfe11FDX639f29+ro69G5UrzTdJ+Ydl6q5FyIzBbmgZpU17aD7ywAlu3XrvztJFOQlF9lrcregGjk9N8S1NizHb2um1aowWWYZAKfzyXcifJYqpbAMUm/DDlfnf8YuC0qM9azzv+V9Z5tSDBtM2BnLaVdsTg5dk/A5U7g+t6/2Sw== X-YMail-OSG: J625f8wVM1nt64J_yaZa0g7R1MwDp5veBLaZ_8TtqhQ8squUQDSBd.t7Ze_4We8 AuD6_A.mRW_Hx.fICr26m89IXumUiPSTbYt2JxvkWZsqRh8z7SYCz733tC4L.riIIagtG2xNbGXa N0GKdnvaIglGqxM5i4y._7.i3O0w_erMNmQRrW5ClczEUaiLG4N8IYasbxP2io4D4oD0OpkXD8Sn pzQptMd6TDPiZIo3M.hp6SFal4I5KEhDwlc2CfZlsvsZwJPKTbGF92_HNdSG3oDqKP55rSu4c_dT YVWSCTVs97mwjurWMTrtg0wagQrIiLAcSY2VFgkfqn_P4PbV2jN9updgisdym_EvqQZ_DCuqxl9M ti959_SlVQl.0t4nUARG8dx8FUAgOneMpzuskSkagc.Uo2tNFKBqIC8_84FlIWnKxSKX0fifBIBJ PKkxLo9q0IPv1WwGbklG1.90X98TZ6wVX8K.kG_gkVcS3mUCjrmUdtQt1I.NPuijka87ySCw1BeL 3KslCVsx3dQyI0y8LWXmcBgEbcNGue5DwX8ysQ_KCDWK9hIBYxlR_E4zhxjdYV1kIHgoayZUHOV4 R4AIOkzn1Gpsi2DysctmukCZEEMIKMeVp9.armx3O6UCCV16FwqbfydcuR4QDBSlMPxCYqthVVst _CBVNcmLgJqkERFfw1Vkq0EXK5rA39vmnwzmrsyqfppl6PdquheaMhjexfS0aOYkw7GOsaYz_zg8 Be7d_XmOyJ.soxafTu8TNFuqfFPo4hVMfy6xZFJ.mfrK0WEoedLgJUR_wUhU2HH.yY2oIt_yZNkx qgoZeeUh5Ks.AM2bcskCSwXon_u5DhCFp06107OY7gQQWu8URdQGmqUsgkCSFYR6B17hUcEY8nad 5knS94gvx9Qw6HtAPogDt5CjwAt..oSJU7naC13TFsJcMFYshf.JFP6UONpZqdGSVFnoBoqA.Qy_ u5U_tFudzmz_sPuOn9Um.LYHpPvjR63BYYHuVzao5Sye22vsxYivGN0EdVa8znnggbVrQHE97CBO Mi39BVcn7dWhMGKHBLH14xdOhOtqIkqDD7idMe2zc.ffh.lrSzKAhe0ETZqvzJ1P8kMU7zfdYpsx 2MIg6t86hh1PsjfmoQRREZcegqtFataXMTG50wvC4UK6Y2ks- cc: David Wells , "zsh-workers@zsh.org" In-reply-to: From: Oliver Kiddle References: To: Bart Schaefer Subject: #7 (typeset -Tp) (was Re: Zsh - Multiple DoS Vulnerabilities) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <58881.1557539125.1@hydra> Date: Sat, 11 May 2019 03:45:25 +0200 Message-ID: <58882-1557539125.040984@0wLk.G1UB.-8BX> Bart wrote: > > #7 Invalid read from *hasher *in *hashtable.c* > > POC folder: *07_hasher_(hashtable.c_85)* > +2> typeset -priTt CeE e > > and then just goes away until killed. Only that final typeset is > necessary to reproduce the bug, the rest is irrelevant. Actually all it needs is the combination of -T and -p along with variables that aren't already tied. With other relevant branches of bin_typeset() for things like typeset -pi, we check for OPT_ISSET(ops, 'p') early and don't call typeset_single(). (-m is an exception to this). An alternative to the following patch would be to simply print an error. This would just involve the -p test joining the -m test on the next lines after the final bit of context. However, the behaviour as per this patch is more consistent with other meaningless typeset combinations like -pi and -pF. I'm fairly certain that the second part of the patch renders the lines removed in the first part as dead code but it'd be good if someone else could check my logic which is as follows: Given -p, typeset_single() is only now called when -m is set. usepm will always then be true because with -m, pm will always be set and never with PM_UNSET. So we go into the if (usepm) block on line 2193 which has early returns on every branch. Oliver diff --git a/Src/builtin.c b/Src/builtin.c index 49f017046..ca0ce35f5 100644 --- a/Src/builtin.c +++ b/Src/builtin.c @@ -2583,9 +2583,6 @@ typeset_single(char *cname, char *pname, Param pm, UNUSED(int func), } pm->node.flags |= (on & PM_READONLY); - if (OPT_ISSET(ops,'p')) - paramtab->printnode(&pm->node, PRINT_TYPESET); - return pm; } @@ -2714,7 +2711,7 @@ bin_typeset(char *name, char **argv, LinkList assigns, Options ops, int func) (!isset(GLOBALEXPORT) && !OPT_ISSET(ops,'g'))) on |= PM_LOCAL; - if (on & PM_TIED) { + if ((on & PM_TIED) && !OPT_ISSET(ops, 'p')) { Param apm; struct asgment asg0, asg2; char *oldval = NULL, *joinstr;