From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id d5fd7530 for ; Wed, 15 May 2019 21:57:11 +0000 (UTC) Received: (qmail 7083 invoked by alias); 15 May 2019 21:56:56 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 44307 Received: (qmail 9220 invoked by uid 1010); 15 May 2019 21:56:56 -0000 X-Qmail-Scanner-Diagnostics: from park01.gkg.net by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.101.2/25447. spamassassin: 3.4.2. Clear:RC:0(205.235.26.22):SA:0(-1.9/5.0):. Processed in 4.121931 secs); 15 May 2019 21:56:56 -0000 X-Envelope-From: SRS0=2XHT=TP=yahoo.co.uk=okiddle@bounces.park01.gkg.net X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at bounces.park01.gkg.net designates 205.235.26.22 as permitted sender) X-Virus-Scanned: by amavisd-new at gkg.net Authentication-Results: amavisd4.gkg.net (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.co.uk X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s2048; t=1557957358; bh=qFv4ISWLv9b3P+im3q69CrG7hRbOoD7h68csat5JKc4=; h=From:To:Subject:Date:From:Subject; b=tFV1suZFCqFDHWh8Q+EW3tBiITk0knCWpmaUPG/v93jEvAQqRdrneUH4OmpsTGlEIT9wpLEkdvDB+fcesrGi+xoU5uIbIOqiFRXLpomqQdyCB+QAwxRhJ3Ni2iTHFYCtInkSnYmR8SgDOH1VNTYHtrYbOrGX4Hs1LD/hEU7wxwE4LEdMZMavpO2eNGKoB+o/5GovRY3H0sy9U6tHTfA0DeKsv6C6+s/nNARIMiT1WmfyuuaGKB+Y9lpo9+MpKdRGeLp92nYzn8KblE5kD7Gfa7Od6V3D8QRdSY7IUXslBzovLFuyFUfOWSnXvmVAaa9jlf2Y8AJs09c3i/0E/L4nZQ== X-YMail-OSG: VofdlMgVM1mjk1UqVWpaGVe2JtxDS0Spfzk4XU1TIBDblyD2gg3KvrDcjkjGSTw iThKH2k3p1WVLx8HuKgBDPgtB5pbPaZ8cmAAgPseL.s.0IdNnf1.cqo2u9jNgzIFZTiicn5_FsLM IUFWi0m3tmAFGGfuJyGSvsV_EHBru.F.jkxBUsbBP52djUtf84e4U_EPMVB_BIl8hp0hhI.9rw3l 8bqGe_S.AkJEKzc2mS3wrVJlfCvxOA0TtDLk0QyrX13cp5vXE2j6mOruYGO1Z9UMumWNOshiF_eW jm7bON8Rob15QAZ3ca2Y2dWhoe2clhgyV9ik4wqJ7tG3lg9RKO47fpZPzZP_6nJujnnQGk_KrEGp yPpqgSAho2TDBMRzYft_WbyWkoiWJes4IoPzpYUiHyka7IZg0ZKuXWgtG_GjBc.uMzX6MlJ51TsU fZUAcWnR9._6KmUqT5oLGl9J1OluVVsqzYZYuShkSMpW4LmqkOTH.uN7sHF4Q.W0.ByZkn8IbtMX n5rdbbHxdK5ixpE7a1RKOwHSvi0.JyJHXyx5UdRDr70fdW5alVVOIfwRGFMseBl7K9KDu.jTgCU6 3ZI1fmwxgxAo1dt4c45sjN4yZFrv2OnT5bNud3plLKxgkd2fEKItSidpT2tBLQXLhYhu3hESP3NG k7MIMw_Jc32S9U20ClT5yU1BW4vaQdgRZJ8bl6kgs73IWjDgB8B63zYzFfmfLn9_RRiQoSuXf7VO F5ywPKM0E4ZYkR957.zBbclGqheiLFip5u45wsh9v5hC9dNl.DLbIfKzp2eNLfCq0H9x6UmrXTYH Ybjc8s7cp99BQkhU1QJvTE3UyvfwUHev12ZcGRvlwQPdr2N9SO9CySaHM8pLJLG5Pinp5FSyGtNa rDeWKdd10tZfzrOT3tQB3fk5A3QIDrdTLD.kOP7HVvDmO9Hc_dcSxe92hQINjCSGExDI4SWs1dKR xUwxEWqNQ9.Ev8xBV_5zVuN11qd_zBGvfiiURUGa1fnIlfzgcHszlwIPCEa965y3YhZz85gHkIfM BWFYXjZH3Q1KaFG57AnB53PM2z7z5em6iO2BGZDwZbCqKMESPopgW2G0ybMYaRWGcKQgcYKMzduL pC6Zx18idxhfpKfCFOLtJATLkeRtJhvC4UAKiG6BrdfhQyX6WMmzDUmyErNR94.3laVzX From: Oliver Kiddle To: Zsh workers Subject: PATCH: allow for atoi() returning a negative number MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <76180.1557957354.1@hydra> Date: Wed, 15 May 2019 23:55:54 +0200 Message-ID: <76181-1557957354.693068@l7O-.SUn1.6KOq> Given that a couple of the issues from fuzzing the shell amounted to not allowing for atoi() returning a negative number when given a number bigger than 2**31, I thought it would be worth checking for other cases. This patch handles two cases: a width field in strftime output of nanoseconds and the width for parameters. For the parameter width, this is fairly minimal in that there are further variables that perhaps ought to be unsigned (or size_t). Such changes have a tendency to cascade. This is enough that it doesn't crash while doing the 2G of padding. I'd actually have thought an unsigned short would be sufficient for the width (and base) in struct param. Oliver diff --git a/Src/exec.c b/Src/exec.c index 6ac852112..60ab0acf8 100644 --- a/Src/exec.c +++ b/Src/exec.c @@ -2535,7 +2535,7 @@ setunderscore(char *str) { queue_signals(); if (str && *str) { - int l = strlen(str) + 1, nl = (l + 31) & ~31; + size_t l = strlen(str) + 1, nl = (l + 31) & ~31; if (nl > underscorelen || (underscorelen - nl) > 64) { zfree(zunderscore, underscorelen); diff --git a/Src/init.c b/Src/init.c index 2d5c3296d..445cd3937 100644 --- a/Src/init.c +++ b/Src/init.c @@ -45,7 +45,10 @@ int noexitct = 0; char *zunderscore; /**/ -int underscorelen, underscoreused; +size_t underscorelen; + +/**/ +int underscoreused; /* what level of sourcing we are at */ diff --git a/Src/params.c b/Src/params.c index df031ab64..1859c7c12 100644 --- a/Src/params.c +++ b/Src/params.c @@ -2201,10 +2201,10 @@ getstrvalue(Value v) if (v->flags & VALFLAG_SUBST) { if (v->pm->node.flags & (PM_LEFT|PM_RIGHT_B|PM_RIGHT_Z)) { - unsigned int fwidth = v->pm->width ? v->pm->width : MB_METASTRLEN(s); + size_t fwidth = v->pm->width ? (unsigned int)v->pm->width : MB_METASTRLEN(s); switch (v->pm->node.flags & (PM_LEFT | PM_RIGHT_B | PM_RIGHT_Z)) { char *t, *tend; - unsigned int t0; + size_t t0; case PM_LEFT: case PM_LEFT | PM_RIGHT_Z: @@ -5858,7 +5858,7 @@ printparamnode(HashNode hn, int printflags) doneminus = 0; } if ((pmptr->flags & PMTF_USE_WIDTH) && p->width) { - printf("%d ", p->width); + printf("%u ", p->width); doneminus = 0; } } diff --git a/Src/utils.c b/Src/utils.c index 32f600858..46cf7bcf6 100644 --- a/Src/utils.c +++ b/Src/utils.c @@ -3336,7 +3336,7 @@ morefmt: case '.': { long fnsec = nsec; - if (digs > 9) + if (digs < 0 || digs > 9) digs = 9; if (ztrftimebuf(&bufsize, digs)) return -1;