From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 15621 invoked by alias); 6 Dec 2014 23:08:03 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 33894 Received: (qmail 29227 invoked from network); 6 Dec 2014 23:07:50 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 X-CMAE-Score: 0 X-CMAE-Analysis: v=2.1 cv=IOK10brD c=1 sm=1 tr=0 a=FT8er97JFeGWzr5TCOCO5w==:117 a=kj9zAlcOel0A:10 a=q2GGsy2AAAAA:8 a=oR5dmqMzAAAA:8 a=-9mUelKeXuEA:10 a=A92cGCtB03wA:10 a=tMPVsLv0w1eVa7o8O0AA:9 a=CjuIK1q_8ugA:10 From: Bart Schaefer Message-id: <141206150753.ZM2978@torch.brasslantern.com> Date: Sat, 06 Dec 2014 15:07:53 -0800 In-reply-to: <20141206042732.GA28745@ti.fritz.box> Comments: In reply to Dennis Felsing "free() error on simple input scripts" (Dec 6, 5:27am) References: <20141206042732.GA28745@ti.fritz.box> X-Mailer: OpenZMail Classic (0.9.2 24April2005) To: Dennis Felsing , zsh-workers@zsh.org Subject: Re: free() error on simple input scripts MIME-version: 1.0 Content-type: text/plain; charset=us-ascii On Dec 6, 5:27am, Dennis Felsing wrote: } } Simply running zsh (from git) on each of the two attached files causes a } free() error for me: These are both unicode files, at least one in 16-bit with a byte-order prefix, and are therefore not valid input to the shell. If you're in a situation where you're being caused to feed the shell unknown or invalid input, you're already way worse off than can be helped by avoiding a bad free() ... However, it appears that both unmeta() and unmetafy() have trouble with this input, e.g., unmeta() sees a META byte immediately before the end of string NUL and therefore runs off the end at the second *t++ in this loop: for (t = file_name, p = fn; *t; p++) if ((*p = *t++) == Meta) *p = *t++ ^ 32; This ought to get caught well before we reach this part of the function, but I'm not sure what the correct reaction is. Anyway, the failure of unmeta[fy] cascades into errors in metafy() later. Maybe this? Though how we ended up with a bad metafied string in the first place might also be worth investigating. diff --git a/Src/utils.c b/Src/utils.c index 9268147..5c90638 100644 --- a/Src/utils.c +++ b/Src/utils.c @@ -4164,7 +4164,7 @@ unmetafy(char *s, int *len) for (p = s; *p && *p != Meta; p++); for (t = p; (*t = *p++);) - if (*t++ == Meta) + if (*t++ == Meta && *p) t[-1] = *p++ ^ 32; if (len) *len = t - s; @@ -4208,8 +4208,10 @@ unmeta(const char *file_name) meta = 0; for (t = file_name; *t; t++) { - if (*t == Meta) - meta = 1; + if (*t == Meta) { + meta = t[1]; + break; + } } if (!meta) { /*