From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 65287822 for ; Thu, 16 May 2019 20:38:08 +0000 (UTC) Received: (qmail 15689 invoked by alias); 16 May 2019 20:37:51 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 44312 Received: (qmail 12851 invoked by uid 1010); 16 May 2019 20:37:51 -0000 X-Qmail-Scanner-Diagnostics: from know-smtprelay-omc-11.server.virginmedia.net by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.101.2/25447. spamassassin: 3.4.2. Clear:RC:0(80.0.253.75):SA:0(-2.0/5.0):. Processed in 2.338519 secs); 16 May 2019 20:37:51 -0000 X-Envelope-From: p.w.stephenson@ntlworld.com X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at _smtprelay.virginmedia.com designates 80.0.253.75 as permitted sender) X-Originating-IP: [86.16.88.158] X-Authenticated-User: p.w.stephenson@ntlworld.com X-Spam: 0 X-Authority: v=2.3 cv=K4CW4BeI c=1 sm=1 tr=0 a=MiHCjVqLJ44lE3bxSlffFQ==:117 a=MiHCjVqLJ44lE3bxSlffFQ==:17 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=IkcTkHD0fZMA:10 a=sja6cIbxV5jGAqFZ0c0A:9 a=QEXdDO2ut3YA:10 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ntlworld.com; s=meg.feb2017; t=1558039030; bh=RXIo27srSi/FdiKRGWHm19B2F0LiMsDjWRX1c9CvJU4=; h=Subject:From:To:Date:In-Reply-To:References; b=bbjcw4g8GKvGZZvBvV8vXF+JjjKm12pQNYHqHSfsgmcTZTN6dMK1tNczOXm1cBekt m86ShH1aEsNhwH+lFfR4ht5RfutLeIBMnx+KD1sjRTlLEQ0b/u7k/dpd7JQyfhDRSu DspNl6BMZUOfpLvt1Zx6NwAql3G2Eogf549Wd4IFzMHowLl9VCd/HroR3+MmzQeQ/X EKDFgK12E8h0KC3EmRFjEpooK0pqOsBRZY1JZz8fjzQYLdXYWqWrg/ByRyKrwZ/W2/ 9DAwYk4yO1TCWdRSgKViYaI4EyEy+PyRTb1r5rR1F6s7dm9Eg3GETAdknd6XPQpX9a GQQLUnVCnhzlw== Message-ID: <889eb5518ad0f98899ba24c2f3e95a87f7cc3df6.camel@ntlworld.com> Subject: Re: Zsh - Multiple DoS Vulnerabilities From: Peter Stephenson To: zsh-workers@zsh.org Date: Thu, 16 May 2019 21:37:09 +0100 In-Reply-To: <21436-1557865831.121649@2P7I.HAU9.QsaG> References: <21436-1557865831.121649@2P7I.HAU9.QsaG> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-CMAE-Envelope: MS4wfAmrwmP8D9EpM6rhCUUzMSECh6Jyaj+P0uYK9wNtApMGqN/OwaiFQjyN8tRnDAqWPK2aHesXbAdV0JL+Jem5O7nqmhdfLeXRtC+3dViLXqgAbsPoQt4g jjJ2i0yI+zHRLDmksbkXBZQncs2geeWzbCTPBGBEX37NgJngAU3aSgQe On Tue, 2019-05-14 at 22:30 +0200, Oliver Kiddle wrote: > I'm finding this one will crash on Linux but hang on FreeBSD. And not > crash with true as the condition. A variety of things can be used in the > condition. while .. do .. done can be used in place of if .. then .. fi, > && or ||. The me > you part can be cut down to :. Try the following: > > if [[ m -eq y ]]; then > : && ! > : > fi > > Where I had a crash, it was interpreting the wordcode in ecgetstr(). > Where it does r = s->strs + (c >> 2), c had an infeasibly large value > causing it to index well beyond the range of s->strs. I'd be inclined to > suspect the problem comes earlier when parsing this into wordcode. I'm starting to wonder if this is an allocation rather than a parsing problem --- the parsing is OK but something goes wrong with the final pointer / afterwards / in building or copying the word code, so that gettext2() or the exec code ends up trying to interpret garbage at the end. pws