Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

[PATCH 1/3] jp: Fix segfaults during parameter expansion

X-seq: zsh-workers 42274
From: Joey Pabalinas <joeypabalinas@xxxxxxxxx>
To: schaefer@xxxxxxxxxxxxxxxx
Subject: [PATCH 1/3] jp: Fix segfaults during parameter expansion
Date: Sun, 14 Jan 2018 05:23:42 -1000
Cc: dana@xxxxxxx, zsh-workers@xxxxxxx, Joey Pabalinas <joeypabalinas@xxxxxxxxx>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=kbA/jB5qx1cG5Xy+k5EEdi17hj3byGtlj1CG83gU2hY=; b=UbaVQdSyMGgv4xS/9R2hYHByZgVilDzgR5Y0GO0rknDG9cYfUf+Lbnxn5WzkN/1zBt L4cgBO+HghwgIjVd3rjKtrxtWK6e3oq1nEZkR0+QDVVot1xuQ7z0VHrR60DIflGTUaWP JLhzBpwy7Rww/gWc6hp0nM3t85DuGzuG/spVr0uAiez4D/3w3RT6gnnotmTERY05ymnZ WMbtP/8uTBmNJlN750gbLhXLQp7SawBqbnHRUf+14QwyRmfU2W9eCJZxFD1mkunIV5qM mchFnfEGR/tyxZpDQtJq1MNQrYUFPc01/C5RNViD6nDM4YFYaY0x29UqCRns8FeiHKPp /nJQ==
In-reply-to: <20180114152344.12018-1-joeypabalinas@gmail.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <20180114152344.12018-1-joeypabalinas@gmail.com>

Running:

> $ zsh -fc ': ${${(PAA)p[foo]}::=x}'` in current zsh versions causes:
>
> [1] 4441 segmentation fault (core dumped) zsh -fc ': ${${(PAA)p[foo]}::=x}'

Also happens when testing with machabot:

> 19:42 <jp> > : ${${(PAA)p[foo]}::=x}
> 19:42 <machabot> jp: zsh[248]: segfault at 0 ip b7dfcda3 sp bfeb9ebc
>       error 4 in libc-2.13.so[b7d84000+149000]

Add a simple `dupstring(s2)` fallback instead of pointlessly
trying to concatenate `s2` to NULL and segfaulting.

Signed-off-by: Joey Pabalinas <joeypabalinas@xxxxxxxxx>

 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/Src/string.c b/Src/string.c
index 9e14ef94919c3e8ec5..038624d65a9f533494 100644
--- a/Src/string.c
+++ b/Src/string.c
@@ -144,8 +144,12 @@ dyncat(const char *s1, const char *s2)
 {
     /* This version always uses space from the current heap. */
     char *ptr;
-    size_t l1 = strlen(s1);
+    size_t l1;
 
+    /* String duplicate fallback to prevent NULL derefs */
+    if (!s1)
+	return dupstring(s2);
+    l1 = strlen(s1);
     ptr = (char *)zhalloc(l1 + strlen(s2) + 1);
     strcpy(ptr, s1);
     strcpy(ptr + l1, s2);
@@ -158,8 +162,12 @@ bicat(const char *s1, const char *s2)
 {
     /* This version always uses permanently-allocated space. */
     char *ptr;
-    size_t l1 = strlen(s1);
+    size_t l1;
 
+    /* String duplicate fallback to prevent NULL derefs */
+    if (!s1)
+	return dupstring(s2);
+    l1 = strlen(s1);
     ptr = (char *)zalloc(l1 + strlen(s2) + 1);
     strcpy(ptr, s1);
     strcpy(ptr + l1, s2);
-- 
2.15.1

References:
- [PATCH 0/3] jp: Patchset for parameter expansion segfaults
  - From: Joey Pabalinas

Messages sorted by: Reverse Date, Date, Thread, Author