Re: Discovery of 3 Bugs in Zsh

[Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>]

On Sat, Apr 22, 2023 at 10:46 AM Johenan Li <liyuweiheng@xxxxxxxxxxx> wrote:
>
>     #0 0x555a909ad411 in getjobtext /src/zsh/Src/text.c:338:9
>
> 0x555a916f32df is located 1 bytes to the left of global variable 'jbuf' defined in 'text.c:317:17' (0x555a916f32e0) of size 80
> 0x555a916f32df is located 30 bytes to the right of global variable 'tjob' defined in 'text.c' (0x555a916f32c0) of size 1

Perhaps there's some way to have a job with an empty jobtext?

diff --git a/Src/text.c b/Src/text.c
index 56127c457..8b1bd96b6 100644
--- a/Src/text.c
+++ b/Src/text.c
@@ -335,7 +335,7 @@ getjobtext(Eprog prog, Wordcode c)
     tlim = tptr + JOBTEXTSIZE - 1;
     tjob = 1;
     gettext2(&s);
-    if (tptr[-1] == Meta)
+    if (tptr > jbuf && tptr[-1] == Meta)
     --tptr;
     *tptr = '\0';
     freeeprog(prog);        /* mark as unused */