Re: [PATCH] jp: fix segfaults during parameter expansion

[Daniel Tameling <tamelingdaniel@xxxxxxxxx>]

Hi,

while working through my email backlog, I noticed that my zsh didn't
segfault. I used git bisect, and it looks like commit
4b8db48c6bd3c0230a5d81f49e478857adf9cda8 introduced it. Maybe this helps
someone that understands the code base better than me to figure out
what's wrong.

Kind regards
Daniel

Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx> writes:

> On Sat, Jan 13, 2018 at 10:05 PM, Joey Pabalinas
> <joeypabalinas@xxxxxxxxx> wrote:
>> Running `zsh -fc ': ${${(PAA)p[foo]}::=x}'` in current zsh versions causes:
>>
>>> "segmentation fault (core dumped) zsh -fc '(: ${${(PAA)p[foo]}::=x})'
>>
>> Add checks to catch NULL dereferences.
>
> Thanks for tracking this down.  Defensive programming is always good,
> but I think this is indicative of a problem further upstream.
>
> What's the expected output of that substitution?
>
> The following prevents the segfault for me, instead giving the error
> "zsh: not an identifier: " (i.e., empty string is not a valid
> parameter name).  But perhaps there's a different error that should
> occur here if val is NULL?
>
> diff --git a/Src/subst.c b/Src/subst.c
> index d027e3d..73491c2 100644
> --- a/Src/subst.c
> +++ b/Src/subst.c
> @@ -2430,7 +2430,10 @@ paramsubst(LinkList l, LinkNode n, char **str,
> int qt, int pf_flags,
>                 val = aval[0];
>                 isarr = 0;
>             }
> -           s = dyncat(val, s);
> +           if (val)
> +               s = dyncat(val, s);
> +           else
> +               s = dupstring(s);
>             /* Now behave po-faced as if it was always like that... */
>             subexp = 0;
>             /*


-- 
Daniel