| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Not closing a %( would simply read garbage memory
% zformat -f result 'before%(a-after' 'a:hello' ; echo $result
beforeaftera:hello
% zformat -f result 'before%(a-after' 'a:hello' ; echo $result
beforeafter#
It was possible to overwrite the %% and %) sequences with arbitrary
text, and %% was also undocumented. Hopefully nobody relied on this
spacekey heater.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
zsh% zselect 2023
==2815== Syscall param select(exceptfds) points to uninitialised byte(s)
==2815== at 0x4DDA2D6: select (in /lib64/libc-2.32.so)
==2815== by 0x4885937: bin_zselect (zselect.c:175)
==2815== by 0x410C5E: execbuiltin (builtin.c:506)
==2815== by 0x43A5FC: execcmd_exec (exec.c:4259)
==2815== by 0x433BE1: execpline2 (exec.c:2040)
==2815== by 0x432824: execpline (exec.c:1765)
==2815== by 0x431A7D: execlist (exec.c:1515)
==2815== by 0x4310E3: execode (exec.c:1296)
==2815== by 0x457D15: loop (init.c:223)
==2815== by 0x45C151: zsh_main (init.c:1933)
==2815== by 0x40FD61: main (main.c:93)
==2815== Address 0x1ffeffe5b0 is on thread 1's stack
==2815== in frame #1, created by bin_zselect (zselect.c:66)
zselect: error on select: bad file descriptor
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
checkptycmd would sign extend a 0xff byte to -1, causing the byte to be
dropped, read into an unsigned char instead
the "last despairing effort" code read directly into the int, which
would probably not work on big endian. read into a temporary unsigned
char instead
the FIONREAD path used a totally undeclared variable "val", declare it,
and also initialize pollret to -1 for this path
the USE_CYGWIN_FIX path error message would always report -1 as the fd
it was unable to duplicate, report the original fd instead
initial read before the main loop in ptyread forgot to metafy the byte
avoid calling malloc with 0 length as this may be misinterpreted as oom
don't try to open sfd if opening mfd failed
|
| |
|
|
|
| |
And also make sure metafy won't write outside the buffer, it can in
theory become twice as long, so use half the buffer size at most.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ideally, these should just be unmetafy()d and passed to ncurses, but the
reality is that ncurses will just segfault if we do that when the user
passes a non-ascii value.
% echo $terminfo[らしりれ]
zsh: segmentation fault
% echotc れりの
zsh: segmentation fault
The tparm values do seem to work fine with multibyte strings, so do
unmetafy() for those.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
% echo $(( zrand_int(4294967295) ))
zsh: Upper bound (4294967295) out of range: 0-4294967295
3910196459
read loop had incorrect condition as well as passing negative status
codes on to the pointer arithmetic
clz64 shifted by 1 bit instead of 2
remove incorrect comment (it applies to the case where max is 1, which
is not very interesting)
and some minor stuff
|
| |
|
|
| |
behavior
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
use strtol, not strtod
use WEXITSTATUS on returned status, though I'm not sure when this path
can actually be taken?
don't abort getting group names just because one name is missing
storing ${(kv)parameters} in a copy and then reading that wouldn't say
what type a nameref pointed to
setting multiple options via options=( foo on ) didn't verify the option
name before trying to set it, reporting it as a failure to set it instead
|
| |
|
|
|
|
| |
Adding a test for this is not trivial since tccolours is set directly
from a termcap lookup, and is specifically documented in the code as
"may not be set".
|
| |
|
|
|
|
|
| |
If (#m) was not active, the getsparam("MATCH") is always NULL,
terminating the whole array. Copying zsh_match into *ap didn't advance
the pointer, NULL terminating the pointer again. The array length was
one short (MATCH in front and NULL terminator means it should be +2).
|
| |
|
|
|
| |
In practice, name is always ascii so this is all no-op anyway, but just
in case someone models code on this, make it less likely to confuse them.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
% typeset -A .zle.hlgroups
% zmodload -i zsh/hlgroup
% : ${.zle.hlgroups[select]}
% print ${(k).zle.esc}
zsh: segmentation fault
Also add check on !hlg too for paranoia, not sure if that can actually
happen, but getgroup has the same check.
|
| |
|
|
| |
This allows using more than 256 color pairs.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
mouseinterval returns the old mouse interval, not a ok/err status.
mousemask returns 0 on failure
zccmd_bg called wattron/off directly for attributes, instead of storing
them in the ch variable being passed to wbkgd so they weren't actually
applied to the background.
remove some extra 0 being passed to zwarnnam, and change one from
zerrnam.
fix a leak of w->children when deleting windows.
check return value from mbrtowc and wctomb correctly.
store attrs correctly in non-multibyte path.
return error from zcurses position when given an invalid parameter name.
if init_pair fails, retry with the same number next time.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
The flags parameter is always 0 so the precedence mistake doesn't
actually matter.
Attributes are quite unlikely to be over 2GB in length, but use the
correct types.
The module is load=no so the autofeatures isn't used, but be consistent
and list all builtins in the mdd file.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Coverity CID 1692322 in Src/glob.c:
i'm pretty sure this is a false positive so add a debug message just in case
Coverity CID 1500752 in Src/Zle/compresult.c:
remove unused assignment that also reads uninitialized pointer p
And two that were just near other things it complained about
Src/utils.c:
Warn if maildir disappeared from under us
Src/Modules/system.c:
stray \n in zwarn message
Src/subst.c:
Use DIGBUFSIZE for buf holding digits
This one would be a little hard to overflow in practice, you'd need a
parameter at least 100000000000000 characters long, which is 100TB.
|
| |
|
|
|
|
|
| |
This was originally marked as a false positive because the allocation
was done with PAT_STATIC; when that was later changed to PAT_ZDUP to
avoid problems with signal handlers stomping on the memory, apparently
this cleanup path was missed.
|
| | |
|
| |
|
|
|
|
|
|
| |
The freesession function randomly clearing the current session instead
of the passed section is probably not great.
The h_errno definition is repeated just above identically, which I would
assume is a compile time error for anyone who has USE_LOCAL_H_ERRNO set.
|
| |
|
|
|
| |
This lets you close tcp connections without losing data. Updating
zshtcpsys is left as an exercise for someone else.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the passed name was too long, it was silently truncated. If it was
exactly the max length, the string was not nul terminated.
% zsocket -l aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
==421== Syscall param socketcall.bind(my_addr.sun_path) points to uninitialised byte(s)
==421== at 0x4DD77D7: bind (in /lib64/libc-2.32.so)
==421== by 0x61FB31A: bin_zsocket (in /usr/local/lib64/zsh/5.9.0.3-test-mika/zsh/net/socket.so)
==421== by 0x4217BF: execbuiltin (in /usr/local/bin/zsh)
==421== by 0x433751: execcmd_exec (in /usr/local/bin/zsh)
==421== by 0x433D2B: execpline2 (in /usr/local/bin/zsh)
==421== by 0x434084: execpline (in /usr/local/bin/zsh)
==421== by 0x4359F8: execlist (in /usr/local/bin/zsh)
==421== by 0x4362A1: execode (in /usr/local/bin/zsh)
==421== by 0x44F7A1: loop (in /usr/local/bin/zsh)
==421== by 0x450AAD: zsh_main (in /usr/local/bin/zsh)
==421== by 0x4D01E69: (below main) (in /lib64/libc-2.32.so)
==421== Address 0x1ffeffd7ad is on thread 1's stack
==421== in frame #1, created by bin_zsocket (???:)
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
We don't use numerical callouts at all, and we should probably document that, but not crashing is at least a more useful behavior. While it is true that callout_number is always 0 for string callouts, it is not true that it is never 0 for numerical callouts, so check that we got a string too.
|
| | |
|
| |
|
|
| |
tweaked to adjust order of options in documentation
|
| |
|
|
|
| |
This is in response to a security report. There are too many potential ways
to break out of a restricted shell and more secure, modern alternatives exist.
|
| | |
|
| |
|
|
| |
+ README update due to potential compatibility breakage
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
allow mixing of colours
|
| |
|
|
| |
braces
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
with small tweak to test, just in case
|
| | |
|
| | |
|
