Re: [PATCH] jp: fix segfaults during parameter expansion

[Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>]

On Sat, Jan 13, 2018 at 10:05 PM, Joey Pabalinas
<joeypabalinas@xxxxxxxxx> wrote:
> Running `zsh -fc ': ${${(PAA)p[foo]}::=x}'` in current zsh versions causes:
>
>> "segmentation fault (core dumped) zsh -fc '(: ${${(PAA)p[foo]}::=x})'
>
> Add checks to catch NULL dereferences.

Thanks for tracking this down.  Defensive programming is always good,
but I think this is indicative of a problem further upstream.

What's the expected output of that substitution?

The following prevents the segfault for me, instead giving the error
"zsh: not an identifier: " (i.e., empty string is not a valid
parameter name).  But perhaps there's a different error that should
occur here if val is NULL?

diff --git a/Src/subst.c b/Src/subst.c
index d027e3d..73491c2 100644
--- a/Src/subst.c
+++ b/Src/subst.c
@@ -2430,7 +2430,10 @@ paramsubst(LinkList l, LinkNode n, char **str,
int qt, int pf_flags,
                val = aval[0];
                isarr = 0;
            }
-           s = dyncat(val, s);
+           if (val)
+               s = dyncat(val, s);
+           else
+               s = dupstring(s);
            /* Now behave po-faced as if it was always like that... */
            subexp = 0;
            /*