From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id a99121f8 for ; Mon, 13 May 2019 21:45:21 +0000 (UTC) Received: (qmail 25409 invoked by alias); 13 May 2019 21:45:11 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 44291 Received: (qmail 1463 invoked by uid 1010); 13 May 2019 21:45:11 -0000 X-Qmail-Scanner-Diagnostics: from park01.gkg.net by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.101.2/25447. spamassassin: 3.4.2. Clear:RC:0(205.235.26.22):SA:0(-1.9/5.0):. Processed in 3.081916 secs); 13 May 2019 21:45:11 -0000 X-Envelope-From: SRS0=vIyL=TN=yahoo.co.uk=okiddle@bounces.park01.gkg.net X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at bounces.park01.gkg.net designates 205.235.26.22 as permitted sender) X-Virus-Scanned: by amavisd-new at gkg.net Authentication-Results: amavisd4.gkg.net (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.co.uk X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.co.uk; s=s2048; t=1557783871; bh=E4qX0Jmubi51hHoX5NHer9VOhFAep6ycw4zOyGzwzjg=; h=From:References:To:Subject:Date:From:Subject; b=YOCQwQsJJf5AhAdwpNuS6csmgI85/d93Uv0D0kNd1b5Y6jkUai7ZFHl59vV37w+LBT3/p3S77ZOFk2RLIS5XDrLL81WustFRbwGdSVCs81evvCtrHjalvQCogMSOkSRqDa0bLcTmE5VFqw20vuIdbUTJqqQE3OUmB5dbXd59m81lmXghchqCyASpbaymmMv7mlQDxZ0y/wiqe3kSxS+Vs5FfB5JdP3wJtnM2onmsMXkDepxTzk+B8bP8IO2IPz0Rb36Y0icCjaaJASQBic7udI1iN6613UkvuSp1ZqKaZ+kim9ZpJbUn5Xo6VaXrhAJVXmEGWzUeYN7kUVr+uw0DXQ== X-YMail-OSG: f8pyzPIVM1mndYdgEF6GeJ2FfknQ7EtRhPJJuiiFoRimm5DA_oai6MfJNsRuP_o Pcvxt5H2B2uXoja9Z9CH0dBS6LAQRAYl0AlHsNaNAx58iuErQ6E9r_Rrdu.KQ37K3GmeeVHDLByU cTW9Ebtcx8a15vafaHP9J2EWH_jTYG86XAl3Hs0ZI3VdRlqTql.NBGd74g5JtxA86V8oC5nPiKKZ x6rlxEfBTOAPg3qw.4YcmkXuWJSZ9.q3hV2za1qvYBIlPntXsi5lqdD8v7gGEWEDvCfk4txdrsfn 8xSd4VlwVTe4or1G97HOJhdUYjHahhph8XZEM73oHIk_mKLNlSrh66BtGuzNflSYNcIw8vLAbmMy 03OJhsl5wf453_c6FfNV17s62YKM51qCPsqOMeGZp.n8c6ERHLWiRlW7.WyywCmxFuggwUe4cb2t vaX8WsvB9TLOjA_G5Jpjz4RjlVDYdizA3IParBGVqOEj6imwHY63p2bmKqMnpiIDvyTbvQKk3Hnb DOKXDRSS3i3bDlIiQkidKKA.Bhl08_zcJgItQv2vCmJ3g74Tr93FyUscC.eNQJVttujq6CRPlMoR UPhPOhxzu2zSm._aNoVo.60NwO0FOfsqrTQufrSqpJRlhJ70rW3PFg8dRlx9LtJzPw0KJAKTfS9n 0RvnxUF8E4Pmmps4BKPH0E.XpngxuLceJJrBNuPRqvSQPf7eHsd4qWEPCmQkTflQj7oj5qfdacwW AGa1CmSbVEUgnJUDQ3TyR7btkYpnlWyJWRwHWCRdyRqJzJrYo_k1IK4nX10t6wO0EEBdBQc_qfTQ i.yVYAlXgZTirKxD_ikKgUFb9D_myqJGEEt5eJXuerLrFFQFx5gJnySRhSZeVgFIjLm30CYEsu91 GG9PNoX2.umTNFBUHhGSCfNOaQo.O1_qhbg0ALNVOt4ZigxCvWMS7Dnl9nbwzG7BHDrJU2X_Op6h MmHY.yVza0Iu.1YCaholeRTk.Y1FlwZWWcrBb3iCpQpgplV5N6hCr2tzgKIDUYVti_V8xb9Mnu7R AjePi8CPu9VO4.YWFmXfsG7NYf6vMlCo4fHZ6bdAT.nHK2ZE24oQGJeKVhdCq1B_xvPNtQEX.eLB DukC.w3IcEcJ6OUnfauGKq2whfd9kKXVee2E6wqbnQRu86JCpDmLyTtYwnEeAi64IIKqx0_E- In-reply-to: From: Oliver Kiddle References: To: David Wells , "zsh-workers@zsh.org" Subject: Re: Zsh - Multiple DoS Vulnerabilities MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <8577.1557783865.1@hydra> Date: Mon, 13 May 2019 23:44:25 +0200 Message-ID: <8578-1557783865.661501@UTJ_.q-YD.8lmQ> > On Fri, May 10, 2019 at 8:04 AM David Wells wrote: > > #4 Invalid read from *bin_print *in *builtin.c* > > POC folder: *04_bin_print_(builtin.c_5009)* This seems to be very similar to #6: string to int conversion overflowing to a negative number. In this case you can reproduce it with just: printf '%4444444444444$' Note that narg below is of type int despite the use of strtoul(). Oliver diff --git a/Src/builtin.c b/Src/builtin.c index ca0ce35f5..a8f054c8a 100644 --- a/Src/builtin.c +++ b/Src/builtin.c @@ -4990,8 +4990,7 @@ bin_print(char *name, char **args, Options ops, int func) narg = strtoul(c, &endptr, 0); if (*endptr == '$') { c = endptr + 1; - DPUTS(narg <= 0, "specified zero or negative arg"); - if (narg > argc) { + if (narg <= 0 || narg > argc) { zwarnnam(name, "%d: argument specifier out of range", narg); if (fout != stdout)