Resolves: #1461483 - fix unsafe use of a static buffer in history isearch

2017-06-14 23:22:44 +02:00 · 2017-06-14 23:22:44 +02:00 · 914fcff0db
commit 914fcff0db
parent 53b1ddc8be
2 changed files with 77 additions and 1 deletions
--- a/0001-zsh-5.3.1-hist-isearch.patch
+++ b/0001-zsh-5.3.1-hist-isearch.patch
@ -0,0 +1,72 @@
+From e56d3b33b50c42301925288af98b18aeb56f83cc Mon Sep 17 00:00:00 2001
+From: Peter Stephenson <pws@zsh.org>
+Date: Fri, 6 Jan 2017 17:42:13 +0000
+Subject: [PATCH] 40285: Be more careful with pattern allocation in history
+ isearch.
+
+If there are ZLE hooks to be called, they may use patterns, in
+which case it's not safe to allocate the isearch pattern in the
+static buffer.
+
+Upstream-commit: 48cadf48ff9c61ce09e826ad9a58e250e999a262
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ Src/Zle/zle_hist.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/Src/Zle/zle_hist.c b/Src/Zle/zle_hist.c
+index abd6e17..434735d 100644
+--- a/Src/Zle/zle_hist.c
+++ b/Src/Zle/zle_hist.c
+@@ -1220,13 +1220,12 @@ doisearch(char **args, int dir, int pattern)
+ 		char *patbuf = ztrdup(sbuf);
+ 		char *patstring;
+ 		/*
+-		 * Use static pattern buffer since we don't need
+-		 * to maintain it and won't call other pattern functions
+-		 * meanwhile.
+		 * Do not use static pattern buffer (PAT_STATIC) since we call zle hooks,
+		 * which might call other pattern functions. Use PAT_ZDUP instead.
+ 		 * Use PAT_NOANCH because we don't need the match
+ 		 * anchored to the end, even if it is at the start.
+ 		 */
+-		int patflags = PAT_STATIC|PAT_NOANCH;
+		int patflags = PAT_ZDUP|PAT_NOANCH;
+ 		if (sbuf[0] == '^') {
+ 		    /*
+ 		     * We'll handle the anchor later when
+@@ -1521,6 +1520,7 @@ doisearch(char **args, int dir, int pattern)
+ 		    if (only_one || !top_spot || old_sbptr != sbptr)
+ 			break;
+ 		}
+		freepatprog(patprog);
+ 		patprog = NULL;
+ 		nosearch = 1;
+ 		skip_pos = 0;
+@@ -1632,6 +1632,7 @@ doisearch(char **args, int dir, int pattern)
+ 	    }
+ 	    strcpy(sbuf + sbptr, paste);
+ 	    sbptr += pastelen;
+	    freepatprog(patprog);
+ 	    patprog = NULL;
+ 	    free(paste);
+ 	} else if (cmd == Th(z_acceptsearch)) {
+@@ -1682,6 +1683,7 @@ doisearch(char **args, int dir, int pattern)
+ 	     * always valid at this point.
+ 	     */
+ 	    sbptr += zlecharasstring(LASTFULLCHAR, sbuf + sbptr);
+	    freepatprog(patprog);
+ 	    patprog = NULL;
+ 	}
+ 	if (feep)
+@@ -1702,6 +1704,7 @@ doisearch(char **args, int dir, int pattern)
+     zsfree(okeymap);
+     if (matchlist)
+ 	freematchlist(matchlist);
+    freepatprog(patprog);
+     isearch_active = 0;
+     /*
+      * Don't allow unused characters provided as a string to the
+-- 
+2.9.4
+
--- a/zsh.spec
+++ b/zsh.spec
@ -3,7 +3,7 @@
 Summary: Powerful interactive shell
 Name: zsh
 Version: 5.3.1
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: MIT
 URL: http://zsh.sourceforge.net/
 Group: System Environment/Shells
@ -14,6 +14,7 @@ Source3: zprofile.rhs
 Source4: zshrc.rhs
 Source5: zshenv.rhs
 Source6: dotzshrc
+Patch1:  0001-zsh-5.3.1-hist-isearch.patch

 BuildRequires: coreutils
 BuildRequires: gawk
@ -172,6 +173,9 @@ fi
 %doc Doc/*.html

 %changelog
+* Wed Jun 14 2017 Kamil Dudka <kdudka@redhat.com> - 5.3.1-9
+- fix unsafe use of a static buffer in history isearch (#1461483)
+
 * Thu Jun 08 2017 Kamil Dudka <kdudka@redhat.com> - 5.3.1-8
 - make the zsh-html subpackage noarch (#1459657)