Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: [PATCH] don't let char class disturb end finding

X-seq: zsh-workers 54622
From: Mikael Magnusson <mikachu@xxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Re: [PATCH] don't let char class disturb end finding
Date: Wed, 27 May 2026 18:30:32 +0200
Arc-authentication-results: i=1; mx.google.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=2ZsEfTBa1YZTuR7so6BAU4YEOv+esSuPKvn3PjSBbUI=; fh=SbTlPuNNxBzTkRlwWtqw/TXBY0HvGvtE97RpPp3sJPM=; b=lAhcwru7ly2/BfuTztkJ7fzlbXhXyn0Q9W2PVKm+uEJmfUl7nNXUOo6C/C2qDUPOFW Jco5D/X9jMYNM8qCYUaOrH7wTLajOr0Jiy2sN/NRX6ZxyzfIZE8L342FRTWPZNFLfyJO yPV7wiIVtSU73Rl2Frr76V02/RvU2gJRnfds6sEvanNS6jV9HTfLHd8i2P0ZAgHNLJpt 70FyCpk2UqTofzYGHHbgA1sN84VDjWxyggesciXiUxEL7WRVe96tTWXxTzoTx7vAlWOU jByX8zZWIjSLtMkD+f6RP2CrvPaoWkjUdCwW1beAKrnBcWmd/wBHqiUEsgsafGWnFzfV NbKQ==; darn=zsh.org
Arc-seal: i=1; a=rsa-sha256; t=1779899446; cv=none; d=google.com; s=arc-20240605; b=O7sUlHZn/AT5DxWiFPXMr6DpR3iNkRBqL3zuHNTPnyUdNEA/aoATlmXDjyYBDwNnyk 3ei3sSp0CSrDsqI770g8SMJuVah0OZbfxSb0PUcENP3g+/tbcM+tduotfRMk3MBGgz6U msfO3uxXZ1HDknpWe4yP9yodXL2DVKUVZ0N9yq21fRKKNk354l9jWn2k95Mx8z4oYuUM AOAJ3rhjo45s0fnwHwS4jrTsgrSaXWJrO0IhH7G/OfQORkQfGDyB6f4tEKAUj4weB9aR n4kiIQxKfR2yNpgEWxewWhkbNYryddudc6JmXZevoCvPDZFXfQTbJbVDDh5D46cnoT8c 8tXg==
Archived-at: <https://zsh.org/workers/54622>
In-reply-to: <20150618013901.GA3494@localhost.localdomain>
List-id: <zsh-workers.zsh.org>
References: <20150617061628.GA27402@localhost.localdomain> <150617082305.ZM907@torch.brasslantern.com> <20150618013901.GA3494@localhost.localdomain>

I was able to reproduce this,
 ==28848== Invalid write of size 1
==28848==    at 0x67D7E7F: parse_class (complete.c:551)
==28848==    by 0x67D7993: parse_pattern (complete.c:435)
==28848==    by 0x67D7585: parse_cmatcher (complete.c:317)
==28848==    by 0x67D8A86: bin_compadd (complete.c:833)
==28848==    by 0x410C5E: execbuiltin (builtin.c:506)
==28848==    by 0x43A65C: execcmd_exec (exec.c:4266)
==28848==    by 0x433C51: execpline2 (exec.c:2050)
==28848==    by 0x432894: execpline (exec.c:1775)
==28848==  Address 0x77bed65 is 0 bytes after a block of size 5 alloc'd
==28848==    at 0x48397B5: malloc (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==28848==    by 0x4739A1: zalloc (mem.c:966)
==28848==    by 0x67D7C5B: parse_class (complete.c:509)
==28848==    by 0x67D7993: parse_pattern (complete.c:435)
==28848==    by 0x67D7585: parse_cmatcher (complete.c:317)

==28848== Invalid write of size 1
==28848==    at 0x67D7EA9: parse_class (complete.c:557)
==28848==    by 0x67D7993: parse_pattern (complete.c:435)

==28848== Invalid read of size 1
==28848==    at 0x483F894: __strlen_sse2 (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==28848==    by 0x4AA2DA: ztrdup (string.c:68)
==28848==    by 0x67D714B: cp_cpattern_element (complete.c:199)
==28848==    by 0x67D71A3: cpcpattern (complete.c:223)
==28848==    by 0x67D702A: cpcmatcher (complete.c:165)
==28848==    by 0x67D8B30: bin_compadd (complete.c:847)


(I temporarily changed the zhalloc on complete.c:509 to a regular
zalloc to make things easier for valgrind).


reproducer:
% foo() { compadd -M 'M:[[:a:]123456]=[[:b:]abcdef]' foo bar baz };
compdef foo foo
% foo <tab>


On Thu, Jun 18, 2015 at 3:49 AM Han Pingtian <hanpt@xxxxxxxxxxxxxxxxxx> wrote:
>
> On Wed, Jun 17, 2015 at 08:23:05AM -0700, Bart Schaefer wrote:
> > On Jun 17,  2:16pm, Han Pingtian wrote:
> > }
> > } This patch try to fix this problem:
> > }
> > } compadd -M '[[:lower:]123456]=...' will cause the end of class to be the
> > } ']' before 1 and will alloc range of memory less than enough for the
> > } cpattern.
> >
> > I don't see anything obviously wrong with the patch, but when I try the
> > above example directly I get "unknown match specification character `['"
> > both before and after applying your patch (and no complaints of memory
> > misuse from valgrind, even before your patch).  Is that the correct
> > example to reproduce the error?
> >
> > I also tried '[[:lower:]123456]=[[:upper:]abcdef]' with the same result.
>
> Sorry, my fault. It should be 'M:[[:lower:]123456]=[[:upper:]abcdef]'
> and for triggering memory misuse, I think we should use someting like
> 'M:[[:a:]123456]=[[:b:]abcdef]'. Then
>
>  469     optr = p->u.str = zhalloc((optr-iptr) + 1);
>
> will alloc a memory 5 bytes long, but latter it will put 6 bytes into
> this memory.
>


-- 
Mikael Magnusson

Follow-Ups:
- Re: [PATCH] don't let char class disturb end finding
  - From: Bart Schaefer

Messages sorted by: Reverse Date, Date, Thread, Author