From e51be32e198f42828b1082f9a40ff525ba892dcb Mon Sep 17 00:00:00 2001

From: "Barton E. Schaefer" <schaefer@zsh.org>

Date: Sun, 17 Aug 2014 10:32:02 -0700

Subject: [PATCH 1/2] Increase size of xbuf2 in xsymlinks to make gcc

 FORTIFY_SOURCE=2 happy.

Upstream-commit: 4ba08eef7e15f7fd0c96353d931b764e25fd251d

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 Src/utils.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Src/utils.c b/Src/utils.c

index a197ef8..13e744e 100644

--- a/Src/utils.c

+++ b/Src/utils.c

@@ -723,7 +723,7 @@ static int

 xsymlinks(char *s)

 {

     char **pp, **opp;

-    char xbuf2[PATH_MAX*2], xbuf3[PATH_MAX*2];

+    char xbuf2[PATH_MAX*3], xbuf3[PATH_MAX*2];

     int t0, ret = 0;

     zulong xbuflen = strlen(xbuf);

-- 

2.14.3

From 5059305b758f1fd228837da436b48a1dcadfd7a3 Mon Sep 17 00:00:00 2001

From: Peter Stephenson <pws@zsh.org>

Date: Tue, 9 May 2017 17:49:18 +0100

Subject: [PATCH 2/2] 40181: Fix buffer overrun in xsymlinks.

There was no check for copying to the internal xbuf2 for a

preliminary test.

Upstream-commit: c7a9cf465dd620ef48d586026944d9bd7a0d5d6d

The upstream test-case has not been backported because this version

of zsh does not support the :P modifier.

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

Also picked a fix for buffer size off-by-one from upstream commit

a62e1640bcafbb82d86ea8d8ce057a83c4683d60 to fix the following defect

newly detected by Coverity Analysis:

Error: OVERRUN (CWE-119):

zsh-5.0.2/Src/utils.c:732: cond_at_most: Checking "xbuflen < 8192UL" implies that "xbuflen" may be up to 8191 on the true branch.

zsh-5.0.2/Src/utils.c:757: overrun-local: Overrunning array of 8192 bytes at byte offset 8192 by dereferencing pointer "xbuf2 + xbuflen + 1". [Note: The source code implementation of the function has been overridden by a builtin model.]

---

 Src/utils.c | 18 +++++++++++++-----

 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/Src/utils.c b/Src/utils.c

index a197ef8..391d020 100644

--- a/Src/utils.c

+++ b/Src/utils.c

@@ -684,7 +684,7 @@ ispwd(char *s)

     return 0;

 }

-static char xbuf[PATH_MAX*2];

+static char xbuf[PATH_MAX*2+1];

 /**/

 static char **

@@ -723,9 +723,9 @@ static int

 xsymlinks(char *s)

 {

     char **pp, **opp;

-    char xbuf2[PATH_MAX*3], xbuf3[PATH_MAX*2];

+    char xbuf2[PATH_MAX*3+1], xbuf3[PATH_MAX*2+1];

     int t0, ret = 0;

-    zulong xbuflen = strlen(xbuf);

+    zulong xbuflen = strlen(xbuf), pplen;

     opp = pp = slashsplit(s);

     for (; xbuflen < sizeof(xbuf) && *pp && ret >= 0; pp++) {

@@ -744,10 +744,18 @@ xsymlinks(char *s)

 	    *p = '\0';

 	    continue;

 	}

-	sprintf(xbuf2, "%s/%s", xbuf, *pp);

+	/* Includes null byte. */

+	pplen = strlen(*pp) + 1;

+	if (xbuflen + pplen + 1 > sizeof(xbuf2)) {

+	    *xbuf = 0;

+	    ret = -1;

+	    break;

+	}

+	memcpy(xbuf2, xbuf, xbuflen);

+	xbuf2[xbuflen] = '/';

+	memcpy(xbuf2 + xbuflen + 1, *pp, pplen);

 	t0 = readlink(unmeta(xbuf2), xbuf3, PATH_MAX);

 	if (t0 == -1) {

-	    zulong pplen = strlen(*pp) + 1;

 	    if ((xbuflen += pplen) < sizeof(xbuf)) {

 		strcat(xbuf, "/");

 		strcat(xbuf, *pp);

-- 

2.14.3