From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-6197-mason-zsh=primenet.com.au@sunsite.auc.dk>
Received: (qmail 29814 invoked from network); 3 May 1999 09:48:24 -0000
Received: from sunsite.auc.dk (130.225.51.30)
  by ns1.primenet.com.au with SMTP; 3 May 1999 09:48:24 -0000
Received: (qmail 17070 invoked by alias); 3 May 1999 09:48:07 -0000
Mailing-List: contact zsh-workers-help@sunsite.auc.dk; run by ezmlm
Precedence: bulk
X-No-Archive: yes
X-Seq: 6197
Received: (qmail 17062 invoked from network); 3 May 1999 09:48:06 -0000
Date: Mon, 3 May 1999 11:18:45 +0200 (MET DST)
Message-Id: <199905030918.LAA28922@beta.informatik.hu-berlin.de>
From: Sven Wischnowsky <wischnow@informatik.hu-berlin.de>
To: zsh-workers@sunsite.auc.dk
In-reply-to: Tanaka Akira's message of 03 May 1999 01:46:18 +0900
Subject: Re: Completion problem on right hand side of assignment.


Tanaka Akira wrote:

> ...
> rascal% A=Doc/Zsh/zsh: segmentation fault (core dumped)  ./Src/zsh -f
> Z:akr@rascal% 
> ...
>   BUG: attempt to free already free storage
>   BUG: attempt to free storage at invalid address

Seems like clwnum is off-by-one after parsing an assignment. This
caused compwords to be allocated one field too short in callcompfunc
and then the NULL pointer terminating it could be overwritten.

This should fix it.

Bye
 Sven

diff -u os/Zle/zle_tricky.c Src/Zle/zle_tricky.c
--- os/Zle/zle_tricky.c	Mon May  3 11:07:15 1999
+++ Src/Zle/zle_tricky.c	Mon May  3 11:07:50 1999
@@ -4360,7 +4360,7 @@
 
 	    PERMALLOC {
 		q = compwords = (char **)
-		    zalloc((clwnum - aadd + 1) * sizeof(char *));
+		    zalloc((clwnum + 1) * sizeof(char *));
 		for (p = clwords + aadd; *p; p++, q++) {
 		    tmp = dupstring(*p);
 		    untokenize(tmp);

--
Sven Wischnowsky                         wischnow@informatik.hu-berlin.de