Re: free() error on simple input scripts

[Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>]

On Dec 6,  5:27am, Dennis Felsing wrote:
}
} Simply running zsh (from git) on each of the two attached files causes a
} free() error for me:

These are both unicode files, at least one in 16-bit with a byte-order
prefix, and are therefore not valid input to the shell.

If you're in a situation where you're being caused to feed the shell
unknown or invalid input, you're already way worse off than can be
helped by avoiding a bad free() ...

However, it appears that both unmeta() and unmetafy() have trouble with
this input, e.g., unmeta() sees a META byte immediately before the end
of string NUL and therefore runs off the end at the second *t++ in this
loop:

    for (t = file_name, p = fn; *t; p++)
	if ((*p = *t++) == Meta)
	    *p = *t++ ^ 32;

This ought to get caught well before we reach this part of the function,
but I'm not sure what the correct reaction is.  Anyway, the failure of
unmeta[fy] cascades into errors in metafy() later.

Maybe this?  Though how we ended up with a bad metafied string in the
first place might also be worth investigating.

diff --git a/Src/utils.c b/Src/utils.c
index 9268147..5c90638 100644
--- a/Src/utils.c
+++ b/Src/utils.c
@@ -4164,7 +4164,7 @@ unmetafy(char *s, int *len)
 
     for (p = s; *p && *p != Meta; p++);
     for (t = p; (*t = *p++);)
-	if (*t++ == Meta)
+	if (*t++ == Meta && *p)
 	    t[-1] = *p++ ^ 32;
     if (len)
 	*len = t - s;
@@ -4208,8 +4208,10 @@ unmeta(const char *file_name)
     
     meta = 0;
     for (t = file_name; *t; t++) {
-	if (*t == Meta)
-	    meta = 1;
+	if (*t == Meta) {
+	    meta = t[1];
+	    break;
+	}
     }
     if (!meta) {
 	/*