Certain arguments cause csh to lock up and endlessly consume memory
until killed. I'm guessing this happens during parsing because the
code doesn't have to actually be executed.
The most I've been able to narrow it down is that it happens when a
command line contains both a backslash and an unquoted ܠ (U+0720
SYRIAC LETTER LAMADH).
Examples that trigger it:
if (0) true \ܠ
true \ foo bar baz ܠ
true '\' ܠ
Examples that don't trigger it:
true \ 'ܠ'
I didn't manage to reproduce this on OpenBSD but I didn't try very
(This problem was found while fuzzing another piece of software.)
-- System Information:
Debian Release: 11.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages csh depends on:
ii libbsd0 0.11.3-1
ii libc6 2.31-13
csh recommends no packages.
csh suggests no packages.
-- no debconf information