From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-34543-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 29790 invoked by alias); 14 Feb 2015 18:25:53 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 34543
Received: (qmail 3618 invoked from network); 14 Feb 2015 18:25:42 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE,
	T_FROM_12LTRDOM,T_MANY_HDRS_LCASE autolearn=ham version=3.3.2
X-CMAE-Score: 0
X-CMAE-Analysis: v=2.1 cv=I4zSn2kl c=1 sm=1 tr=0	a=FT8er97JFeGWzr5TCOCO5w==:117
 a=kj9zAlcOel0A:10 a=q2GGsy2AAAAA:8	a=oR5dmqMzAAAA:8 a=-9mUelKeXuEA:10
 a=0HtSIViG9nkA:10	a=PQRmpvhu_-qYU6UkdiMA:9 a=CjuIK1q_8ugA:10
From: Bart Schaefer <schaefer@brasslantern.com>
Message-id: <150214102534.ZM4368@torch.brasslantern.com>
Date: Sat, 14 Feb 2015 10:25:34 -0800
X-Mailer: OpenZMail Classic (0.9.2 24April2005)
To: zsh-workers@zsh.org
Subject: PATCH:  Crash bug on garbage input (previously reported to Debian)
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii

Garbage input (nul bytes, etc.) can cause the newly-introduced $(...)
parser to become confused during look-ahead and back up the input too
far before attempting a different parse.

The patch below simply detects the problem and turns it into a parse
error with an appropriate warning.  It might be helpful to figure out
how the confusion originates but this prevents the crash.

diff --git a/Src/input.c b/Src/input.c
index 2ecac7b..9520fdd 100644
--- a/Src/input.c
+++ b/Src/input.c
@@ -393,12 +393,14 @@ inungetc(int c)
 	    if (((inbufflags & INP_LINENO) || !strin) && c == '\n')
 		lineno--;
 	}
-#ifdef DEBUG
         else if (!(inbufflags & INP_CONT)) {
+#ifdef DEBUG
 	    /* Just for debugging */
 	    fprintf(stderr, "Attempt to inungetc() at start of input.\n");
-	}
 #endif
+	    zerr("Garbled input at %c (binary file as commands?)", c);
+	    return;
+	}
 	else {
 	    /*
 	     * The character is being backed up from a previous input stack
diff --git a/Src/lex.c b/Src/lex.c
index 433c27f..91628d4 100644
--- a/Src/lex.c
+++ b/Src/lex.c
@@ -503,13 +503,15 @@ cmd_or_math(int cs_type)
     /* else unsuccessful: unget the whole thing */
     hungetc(c);
     lexstop = 0;
-    while (lexbuf.len > oldlen) {
+    while (lexbuf.len > oldlen && !errflag) {
 	lexbuf.len--;
 	hungetc(itok(*--lexbuf.ptr) ?
 		ztokens[*lexbuf.ptr - Pound] : *lexbuf.ptr);
     }
+    if (errflag)
+	return 2;
     hungetc('(');
-    return 0;
+    return errflag ? 2 : 0;
 }