Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Potential Security Vulnerability: Double Free in zle_vi.c (Detected via Static Analysis)

X-seq: zsh-workers 54588
From: Oliver Kiddle <opk@xxxxxxx>
To: Pasidu Rashmitha <pasidurashmitha054@xxxxxxxxx>
Cc: zsh-workers@xxxxxxx
Subject: Re: Potential Security Vulnerability: Double Free in zle_vi.c (Detected via Static Analysis)
Date: Fri, 22 May 2026 00:00:32 +0200
Archived-at: <https://zsh.org/workers/54588>
In-reply-to: <CABJ0pRJVvrzE=QreyUhj6TZyU-Ea_5JiPo9PhhBhncX=TCLwLg@mail.gmail.com>
List-id: <zsh-workers.zsh.org>
References: <CABJ0pRJVvrzE=QreyUhj6TZyU-Ea_5JiPo9PhhBhncX=TCLwLg@mail.gmail.com>

On 3 May, Pasidu Rashmitha wrote:
> I am Sandaru, and I’ve been analyzing the Zsh source code using the Clang
> Static Analyzer (scan-build). During the analysis, I identified a potential
> memory corruption issue (Double Free) in the ZLE module.

>
> Bug Details:
>
>   • Type: Double Free (Attempt to free released memory)
>
>   • File: Src/Zle/zle_vi.c
>
>   • Function: startvitext (Line 101/119 area)

I can't see how this can be a double free. There are two instances of
free(curvichg.buf) in the entire code and both are immediately followed
by an assignment. In one case to NULL and here by the result of a fresh
zalloc() call. If I'm missing something then please explain.

To a large extent, scan-build does get run and the results checked.I
tend to find that it reports a lot of false-positives. Coverity is
better and has the advantage that results are tracked so we don't end up
repeating the work of checking over reports.

Oliver

References:
- Potential Security Vulnerability: Double Free in zle_vi.c (Detected via Static Analysis)
  - From: Pasidu Rashmitha

Messages sorted by: Reverse Date, Date, Thread, Author