From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 Received: from zero.zsh.org (zero.zsh.org [IPv6:2a02:898:31:0:48:4558:7a:7368]) by inbox.vuxu.org (Postfix) with ESMTP id 96C3822F62 for ; Sat, 20 Jan 2024 06:52:37 +0100 (CET) ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20210803; t=1705729957; b=qGsVyFDTqdD4aneMXqRwV8J1awT3r/RE06SuaYT/HIz9forbI/iaK424XlyLjityfyGb5Gjycu CjKjwFRrbKv/uKFUvGgF0xus3K9nJQHo4LzINDsbsBZAtlum0c/KW6Tz5kOsXbWoSepUJz2d+X GGhWAZMy69ig564tFJy43xJFW4WDCG0djNFrbA9Bigx77sjB/GNk00gNaF3/qKADmeOYgcx/B0 /6lpPc12cCPCVNOChgkmTzRf/4tjdp7R3fKVXJ7KNNp/q/SBzKA37/rbvLkxu2pIEAPDDAkFnS 41rZJSbtazzffjlnE30RT/YLmkcF/QmNIipk/hNOGz8k+g==; ARC-Authentication-Results: i=1; zsh.org; iprev=pass (mail-ej1-f41.google.com) smtp.remote-ip=209.85.218.41; dkim=pass header.d=brasslantern-com.20230601.gappssmtp.com header.s=20230601 header.a=rsa-sha256; dmarc=none header.from=brasslantern.com; arc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20210803; t=1705729957; bh=mSw6/IcSmjVNN+ZpdNzoLRnGtzYDIo33zseJBtt27kk=; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help: List-Id:Sender:Content-Type:To:Subject:Message-ID:Date:From:MIME-Version: DKIM-Signature:DKIM-Signature; b=NVszXHLjH1IGsmKqSskbStrv3k+13WeH5Jg8cTaBFgpNoZAAHGNFBhSKQ4ApXR2/D+3FVz2MPg TxEvUIgzquW9edkI6ZhvL/TxAWXTC5RksXH4o193SvL1JgLA2C+/w3xT1+ye71GYidYh1wJfHy EMfRWB41KcEgShSR5XddBRiGjmvpEkdI+WNabGB8ydsCbAwHMbvyvYNoEpvfic9J1VXsbEsdbk 94PqxMaarTjfqZI1CNe4XMhe7kjg25lF4QyVM7NKfqtIHenDd6Y7yDa9f7f46vNrBbcNheCiDr W0E11CmHz1xHdvZh3bMvJkf9R5m4iE415XxJ9xa4iOrbRw==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org; s=rsa-20210803; h=List-Archive:List-Owner:List-Post:List-Unsubscribe: List-Subscribe:List-Help:List-Id:Sender:Content-Type:To:Subject:Message-ID: Date:From:MIME-Version:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References; bh=duodb2HLSSNDNk4dfE0k/DM9vsa7AchTEfXqCLY7zHw=; b=HHjJsgQWUjfdffmQMc6kvf5RiC 0RfqlkTRWiN4ZcVAOr5cKu33KtB5QqD1EdDH9B4Tx9l724xDP4QPYepprquHkEDIBuJUXtX20bR8v sGf0GHmiJTnZST5dERs2RqfgqgwV3HvYHopPCmcsPt3SpbGnHRq9nJEgAO1NrERa9hcinF3nd5rXd NnHH2RrB0Ymf8Jaxmpop41s5WPaRIr1NM8nmOHMhHdbEKoZzdaklmQQknEA1CwdK6CGR77HZqBDbV 5RlPLTJd6BbigrAEICWdQnHX7mY5OP1Q9LiSXkQ6qanP/p7de/UUUco4THmzgCeYhiyYrJl7+8LsY xjTT4B7A==; Received: by zero.zsh.org with local id 1rR4HU-000Exe-9P; Sat, 20 Jan 2024 05:52:36 +0000 Authentication-Results: zsh.org; iprev=pass (mail-ej1-f41.google.com) smtp.remote-ip=209.85.218.41; dkim=pass header.d=brasslantern-com.20230601.gappssmtp.com header.s=20230601 header.a=rsa-sha256; dmarc=none header.from=brasslantern.com; arc=none Received: from mail-ej1-f41.google.com ([209.85.218.41]:43299) by zero.zsh.org with esmtps (TLS1.3:TLS_AES_128_GCM_SHA256:128) id 1rR4Gs-000EdJ-ET; Sat, 20 Jan 2024 05:51:59 +0000 Received: by mail-ej1-f41.google.com with SMTP id a640c23a62f3a-a2e0be86878so473066266b.1 for ; Fri, 19 Jan 2024 21:51:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brasslantern-com.20230601.gappssmtp.com; s=20230601; t=1705729918; x=1706334718; darn=zsh.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=duodb2HLSSNDNk4dfE0k/DM9vsa7AchTEfXqCLY7zHw=; b=jUWiMisSDE2+QDvA9E9e7+GvWVch0YrnD/uyWgP8v/GewU6B4ts9s8z/Q4WU703v31 RlQUYbvivIQhBx1sX3pEEiYixhytyNkQKmF8LtrJYh5TcWqbR/9SXKeR1Ao6JyJ4/qJT 8R+BrszHKDk0e+lm3PrrhdlpR3Bhlct1o69jMHR+Ur8dTeK7PFVIvBAoITXkNDrxoeNv m3g3RV28a7bWIMGfwnnYQbp6OKlzlKR0IARGqipdJxWMgX497+sPuaJ0ilmTS4Hx1Vru gQCPAFU9w9UtqYt/Oxaamm8MBShyHQVhDezJbtBUa0o1821PUwdwuw9mUb6pgveQk6SW zPoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705729918; x=1706334718; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=duodb2HLSSNDNk4dfE0k/DM9vsa7AchTEfXqCLY7zHw=; b=MpmVzzfWvVasqi2nNHRrfKl5uztbJbI3uB+hNYSb+SRNJ9AONNqgWMncHzUGq9nRij +HydHhvS8hpZVxV6ltqKmUmZan/ysdN+mnBLVtYShgh16Xr2oJPfK27FpGKXEk3d+JHB RWLHxBNMitwLq05AbjeMZkEBHzf9tdDO4SSJbHmp0hfmi+CB6fzKh7CtGoxDCUgdyl7D SW80PN7swZm5o0UobZSIx4LQiOaj65baCNga3I0o0OQhANBkRf826sEI9LlLxGx8Kgk/ OnuuNRS5nj2IImqU29GHfP7dbGGVz9uOLAttFb0iI48egLEkHN2J8AsQuVo6iSmAamtR XUhQ== X-Gm-Message-State: AOJu0YzRc7y0WyZIBz106KYCb27XktVFzw37UkjyjQyo4IMLUrgXhH4r yptnOvpPPr6uhvdAWW/fRKOiZhZYqqwoB2kCA6hiHWRDomyUOggnrzavN8h57CVppY0sPRhl+ed 2o+8mJDAyTjaN2LqfSjH3tVGFdZRh+re81vHkDdjhxA42dboENA== X-Google-Smtp-Source: AGHT+IH5wS5g+H47Si1FVtvO7kcMt9px9r7C0TA/YLGvNCdEFj9nV1vCtpq1d15Cl/xlHGKL+vGHkWkKde2CBVwTY+A= X-Received: by 2002:a17:907:7892:b0:a2d:d8cf:8e27 with SMTP id ku18-20020a170907789200b00a2dd8cf8e27mr1981012ejc.10.1705729917490; Fri, 19 Jan 2024 21:51:57 -0800 (PST) MIME-Version: 1.0 From: Bart Schaefer Date: Fri, 19 Jan 2024 21:51:46 -0800 Message-ID: Subject: [PATCH] math recursion and array overflow To: Zsh hackers list Content-Type: multipart/mixed; boundary="000000000000d0c188060f5a3185" X-Seq: 52492 Archived-At: X-Loop: zsh-workers@zsh.org Errors-To: zsh-workers-owner@zsh.org Precedence: list Precedence: bulk Sender: zsh-workers-request@zsh.org X-no-archive: yes List-Id: List-Help: , List-Subscribe: , List-Unsubscribe: , List-Post: List-Owner: List-Archive: --000000000000d0c188060f5a3185 Content-Type: text/plain; charset="UTF-8" Math operations normally abort if recursion gets deeper than MAX_MLEVEL (256). However, if the recursion is happening in an array subscript, it can rewind and try again until eventually we try to calculate the length of an empty array expansion, and kaboom. This happens because parse_subscript() clears the error flag while using the lexer, so instead of stopping at the recursion limit we just try again on the next subscript until something goes wrong. The easiest way to reproduce is to use a nameref: n=(1) typeset -n i='n[++i]' print $i The following fixes it by aborting math operators upon operand error, but there might be other more elaborate ways to set it off. I tried some combinations using user-defined math functions but didn't find a failing recursive call strategy. --000000000000d0c188060f5a3185 Content-Type: text/plain; charset="US-ASCII"; name="math-array-overflow.txt" Content-Disposition: attachment; filename="math-array-overflow.txt" Content-Transfer-Encoding: base64 Content-ID: X-Attachment-Id: f_lrln7pf50 ZGlmZiAtLWdpdCBhL1NyYy9tYXRoLmMgYi9TcmMvbWF0aC5jCmluZGV4IGEwNjAxODFlZC4uNTBi NjlkNmExIDEwMDY0NAotLS0gYS9TcmMvbWF0aC5jCisrKyBiL1NyYy9tYXRoLmMKQEAgLTM1Miw2 ICszNTIsOCBAQCBnZXRtYXRocGFyYW0oc3RydWN0IG1hdGh2YWx1ZSAqbXB0cikKIAkgICAgfQog CSAgICByZXR1cm4gemVyb19tbnVtYmVyOwogCX0KKwlpZiAoZXJyZmxhZykKKwkgICAgcmV0dXJu IHplcm9fbW51bWJlcjsKICAgICB9CiAgICAgcmVzdWx0ID0gZ2V0bnVtdmFsdWUobXB0ci0+cHZh bCk7CiAgICAgaWYgKGlzc2V0KEZPUkNFRkxPQVQpICYmIHJlc3VsdC50eXBlID09IE1OX0lOVEVH RVIpIHsKQEAgLTEzNjcsOCArMTM2OSwxMSBAQCBvcChpbnQgd2hhdCkKICAgICB9CiAKICAgICBz cHZhbCA9ICZzdGFja1tzcF0udmFsOwotICAgIGlmIChzdGFja1tzcF0udmFsLnR5cGUgPT0gTU5f VU5TRVQpCisgICAgaWYgKHN0YWNrW3NwXS52YWwudHlwZSA9PSBNTl9VTlNFVCkgewogCSpzcHZh bCA9IGdldG1hdGhwYXJhbShzdGFjayArIHNwKTsKKwlpZiAoZXJyZmxhZykKKwkgICAgcmV0dXJu OworICAgIH0KICAgICBzd2l0Y2ggKHdoYXQpIHsKICAgICBjYXNlIE5PVDoKIAlpZiAoc3B2YWwt PnR5cGUgJiBNTl9GTE9BVCkgewo= --000000000000d0c188060f5a3185--