From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 21909 invoked by alias); 8 May 2017 14:01:05 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 41065 Received: (qmail 24268 invoked from network); 8 May 2017 14:01:05 -0000 X-Qmail-Scanner-Diagnostics: from mail-it0-f51.google.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.99.2/21882. spamassassin: 3.4.1. Clear:RC:0(209.85.214.51):SA:0(0.5/5.0):. Processed in 2.536525 secs); 08 May 2017 14:01:05 -0000 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=0.5 required=5.0 tests=FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RCVD_IN_SORBS_SPAM, SPF_PASS,T_DKIM_INVALID autolearn=no autolearn_force=no version=3.4.1 X-Envelope-From: dualbus@gmail.com X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.214.51 as permitted sender) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=qGbT64PCwc4t0tjmcbokWV4jSG3Vsf2jfKSvKGLH3sU=; b=XkfPLC1oYXCaQrRyMA70BnyLskomt+r4RzWIZZqyFHgnNITHOymWJMqJeuMnDh8Fyn GPw7fvPcv/Jt6/B1KwH5s2HqxyLJj1UGqz8nFKTxGl5+WlAvULieq7D9WFG4aNQaxOGu qetr4F5aqteeqZLfjAt76KU9GgtMxmG8+F+mfKfTPFUKTJXhiyQbx9voNQP9s3VuskCt oG2YHvit2zFM02reKvh6v5Y/R/Sbzp8FmGopaf7Vfmkh38R57jhG49WUrJ2TTG6x5wBv /nOKodTi95DAYalJjq+88Bp/+8iFG/dF+B/gOp7AnqZITGHn4AZsFduEsoxSq+bogoeP BpdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=qGbT64PCwc4t0tjmcbokWV4jSG3Vsf2jfKSvKGLH3sU=; b=ckijIyjvuUT4jo1OG6keD8UcBdzTS4VyL5PXdTgFqq9eI7uMVWHhQAjV1FfogYvt6N DFh0c7y99uXo3R/xpz3dbV7ySHsDwa5I32qm8WGOxCsMMkPNbgAD7O/wvC+dGj/ZKmlI y8Ynlq2VGHq2hyYXXaypYVEFv1IsF/ySxWQON+ccLCYj87mkKnl3kWKQJOHnaedyI/S+ FWW/YDqwtlUHNfL+Br/oLUaz+bgq/oJz9k7C4bgyIfAtMQsZUqahYGPtTEG92gj/vHi6 iSEX0W5GOaPGUEp4MdOs/xebufc51A1R34U8DjVIA1bkQ9f5ZzJ7Wh0lzQvHBSd2j+fe NnKw== X-Gm-Message-State: AN3rC/4E2Ez5wLtqycIkSEB2QkwGtmK66tTeLEzxebRObFFxVc6usxDW LcZHuLvQL4+laPdRjtO4LUgOks4q+g== X-Received: by 10.36.46.193 with SMTP id i184mr21662599ita.51.1494252059234; Mon, 08 May 2017 07:00:59 -0700 (PDT) MIME-Version: 1.0 From: Eduardo Bustamante Date: Mon, 8 May 2017 09:00:38 -0500 Message-ID: Subject: Zsh parser infinite loop in chuck from utils.c on malformed input To: zsh-workers@zsh.org Cc: =?UTF-8?Q?Eduardo_A=2E_Bustamante_L=C3=B3pez?= Content-Type: text/plain; charset=UTF-8 I'm not sure if this is working as expected, but the following input causes Zsh running with noexec to loop forever. dualbus@debian:~/bash-fuzzing/zsh-parser$ cat -v loop ${(%%%%EuzktiOn)aY-^@|M-z^?^@M-^@M-^@M-^?M-^?M-^?ct/^\%{2///^\%ll^@^@M-u./L/+/M-^?M-^?M-^?^?//o//,{}}M-^?M-^?M-^?M-^@^@^A/////^\%333333333333333333333333333{(ifll^@^@^A//L/+///^A///^^//,{}}M-^?M-^?^@}/PJ;//5///^B"_ @#M-^?M-^?M-^?K&^@^B^@^@ M-h3#^B#M-^?M-^?M-^?^?$)0#^@^BM-b^@>&,"^@ M-^?^? @M-^?M-^?M-^?K&^D^B^@G]@ M-bM-m=&,"^@ ,"^@inM-^? @M-^?M-^? ^M^?55`55^G!;M-3 dualbus@debian:~/bash-fuzzing/zsh-parser$ base64 loop JHsoJSUlJUV1emt0aU9uKWFZLQB8+n8AgID///9jdC8cJXsyLy8vHCVsbAAA9S4vTC8rL////38v L28vLyx7fX3///+AAAEvLy8vLxwlMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzMzeyhpZmxsAAAB Ly9MLysvLy8BLy8vHi8vLHt9ff//AH0vUEo7Ly81Ly8vAiJfCkAj////SyYAAgAACegzIwIj//// fyQpMCMAAuIAPiYsIgAK/38KQP///0smBAIAR11AIOLtPSYsIgAKLCIAaW7/CkD//woNfzU1YDU1 ByE7swo= (gdb) r -n loop Starting program: /home/dualbus/src/zsh/zsh/Src/zsh -n loop [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". loop:1: number truncated after 20 digits: 333333333333333333333333333(ifll^@^@^A//L/+///^A///^^//\M-^?\M-^?^@ loop:1: number truncated after 20 digits: 333333333333333333333333333{}\M-^?\M-^?^@ ^C Program received signal SIGINT, Interrupt. 0x00000000004cab23 in chuck (str=0x7fffc89f774f '\241' ...) at utils.c:2229 2229 while ((str[0] = str[1])) (gdb) bt #0 0x00000000004cab23 in chuck (str=0x7fffc89f774f '\241' ...) at utils.c:2229 #1 0x00000000004aa16c in promptexpand ( s=0x7ffff7e5b938 "\203 |\372\177\203 \200\200\377\377\377ct/\034%2///\034%ll\203 \203 \365./L/+/\377\377\377\177//o//\377\377\377\200\203 \001/////\034%", '3' , "{}\377\377\203 ", ns=0, rs=0x0, Rs=0x0, txtchangep=0x0) at prompt.c:227 #2 0x00000000004bd636 in paramsubst (l=0x7fffffffbf90, n=0x7ffff7e5b6f8, str=0x7fffffffb940, qt=0, pf_flags=0, ret_flags=0x7fffffffbf1c) at subst.c:3580 #3 0x00000000004b4f33 in stringsubst (list=0x7fffffffbf90, node=0x7ffff7e5b6f8, pf_flags=0, ret_flags=0x7fffffffbf1c, asssub=0) at subst.c:247 #4 0x00000000004b42e5 in prefork (list=0x7fffffffbf90, flags=0, ret_flags=0x7fffffffbf1c) at subst.c:85 #5 0x0000000000440df5 in execcmd_getargs (preargs=0x7ffff7e5b6e0, args=0x7ffff7e5b618, expand=1) at exec.c:2659 #6 0x000000000043c1eb in execcmd_exec (state=0x7fffffffde30, eparams=0x7fffffffccf0, input=0, output=0, how=2, last1=2) at exec.c:2765 #7 0x000000000043b804 in execpline2 (state=0x7fffffffde30, pcode=131, how=2, input=0, output=0, last1=0) at exec.c:1873 #8 0x0000000000433f6e in execpline (state=0x7fffffffde30, slcode=3074, how=2, last1=0) at exec.c:1602 #9 0x0000000000432dfe in execlist (state=0x7fffffffde30, dont_change_job=0, exiting=0) at exec.c:1360 #10 0x000000000043277e in execode (p=0x7ffff7e5b4e8, dont_change_job=0, exiting=0, context=0x4d90c4 "toplevel") at exec.c:1141 #11 0x000000000045e366 in loop (toplevel=1, justonce=0) at init.c:208 #12 0x00000000004627d6 in zsh_main (argc=3, argv=0x7fffffffe458) at init.c:1692 #13 0x0000000000411a32 in main (argc=3, argv=0x7fffffffe458) at ./main.c:93 (gdb) p str $1 = 0x7fffc89f774f '\241' ...