Re: `foo=foo; (( foo ))' => infinite recursion

Re: `foo=foo; (( foo ))' => infinite recursion

[Sven Wischnowsky]

Alexandre Duret-Lutz wrote:

> An easy way to die.
> 
> ~ % zsh -f
> phobos% foo=foo; (( foo ))
> zsh: segmentation fault  zsh -f

What really irritated me was that getnumvalue() called matheval().
That meant that in cases like the one above $foo could contain any
mathematical expression and that would get evaluated.

The patch makes it take only numbers from $foo (or integer-zero if
there is none). If that is considered to be the wrong idea we have to
find some other way to avoid the endless recusion, I think.

One question: currently it only skips white space at the beginning of 
$foo to find the number (btw, all number-formats zsh knows of should
be understood); should we make it skip all non-numeric characters?

Bye
 Sven

diff -ru ../z.old/Src/math.c Src/math.c
--- ../z.old/Src/math.c	Mon Mar 13 10:18:27 2000
+++ Src/math.c	Mon Mar 13 10:29:36 2000
@@ -950,6 +950,78 @@
     return (x.type & MN_FLOAT) ? (zlong)x.u.d : x.u.l;
 }
 
+/**/
+mod_export mnumber
+mathnumber(char *s)
+{
+    mnumber ret;
+
+    ret.type = MN_INTEGER;
+
+    while (*s) {
+	switch (*s++) {
+	case '[':
+	    {
+		int base = zstrtol(s, &s, 10);
+
+		if (*s == ']')
+		    s++;
+		ret.u.l = zstrtol(s, &s, base);
+		return ret;
+	    }
+	case ' ':
+	case '\t':
+	case '\n':
+	    break;
+	case '0':
+	    if (*s == 'x' || *s == 'X') {
+		/* Should we set lastbase here? */
+		ret.u.l = zstrtol(++s, &s, 16);
+		return ret;
+	    }
+	/* Fall through! */
+	default:
+	    if (idigit(*--s) || *s == '.') {
+		char *nptr;
+#ifdef USE_LOCALE
+		char *prev_locale;
+#endif
+		for (nptr = s; idigit(*nptr); nptr++);
+
+		if (*nptr == '.' || *nptr == 'e' || *nptr == 'E') {
+		    /* it's a float */
+		    ret.type = MN_FLOAT;
+#ifdef USE_LOCALE
+		    prev_locale = setlocale(LC_NUMERIC, NULL);
+		    setlocale(LC_NUMERIC, "POSIX");
+#endif
+		    ret.u.d = strtod(s, &nptr);
+#ifdef USE_LOCALE
+		    setlocale(LC_NUMERIC, prev_locale);
+#endif
+		    if (s == nptr || *nptr == '.')
+			goto end;
+		    s = nptr;
+		} else {
+		    /* it's an integer */
+		    ret.u.l = zstrtol(s, &s, 10);
+
+		    if (*s == '#')
+			ret.u.l = zstrtol(++s, &s, ret.u.l);
+		}
+		return ret;
+	    }
+	    goto end;
+	}
+    }
+ end:
+
+    ret.type = MN_INTEGER;
+    ret.u.l = 0;
+
+    return ret;
+}
+
 /*
  * Make sure we have an operator or an operand, whatever is expected.
  * For this purpose, unary operators constitute part of an operand.
diff -ru ../z.old/Src/params.c Src/params.c
--- ../z.old/Src/params.c	Mon Mar 13 10:18:27 2000
+++ Src/params.c	Mon Mar 13 10:29:36 2000
@@ -1420,7 +1420,7 @@
 	mn.type = MN_FLOAT;
 	mn.u.d = v->pm->gets.ffn(v->pm);
     } else
-	return matheval(getstrvalue(v));
+	return mathnumber(getstrvalue(v));
     return mn;
 }
 

--
Sven Wischnowsky                         wischnow@informatik.hu-berlin.de

Re: `foo=foo; (( foo ))' => infinite recursion

[Bart Schaefer]

On Mar 13, 10:34am, Sven Wischnowsky wrote:
} Subject: Re: `foo=foo; (( foo ))' => infinite recursion
}
} What really irritated me was that getnumvalue() called matheval().
} That meant that in cases like the one above $foo could contain any
} mathematical expression and that would get evaluated.

Urgh.  This is ugly, but appears to have been done for a long time, so
I'm a bit leery of changing it.  (( foo == $foo )) is probably meant to
be true, which won't be the case any more with your patch.

Maybe just a recursion counter with a reasonably large limit?

} One question: currently it only skips white space at the beginning of 
} $foo to find the number (btw, all number-formats zsh knows of should
} be understood); should we make it skip all non-numeric characters?

No, I don't think so.

-- 
Bart Schaefer                                 Brass Lantern Enterprises
http://www.well.com/user/barts              http://www.brasslantern.com

`foo=foo; (( foo ))' => infinite recursion

[Alexandre Duret-Lutz]

An easy way to die.

~ % zsh -f
phobos% foo=foo; (( foo ))
zsh: segmentation fault  zsh -f

#0  0x8080add in mathevall (s=0x80e5890 "foo", prek=17, ep=0xbf800308)
    at ../../latest/Src/math.c:855
855     {
(gdb) bt
#0  0x8080add in mathevall (s=0x80e5890 "foo", prek=17, ep=0xbf800308)
    at ../../latest/Src/math.c:855
#1  0x8080d13 in matheval (s=0x80e5890 "foo") at ../../latest/Src/math.c:923
#2  0x808bc5b in getnumvalue (v=0xbf800384) at ../../latest/Src/params.c:1423
#3  0x808c81d in getnparam (s=0x401e09bb "") at ../../latest/Src/params.c:1655
#4  0x808100a in mathparse (pc=17) at ../../latest/Src/math.c:1011
#5  0x8080be2 in mathevall (s=0x80e5890 "foo", prek=17, ep=0xbf800ad8)
    at ../../latest/Src/math.c:888
#6  0x8080d13 in matheval (s=0x80e5890 "foo") at ../../latest/Src/math.c:923
#7  0x808bc5b in getnumvalue (v=0xbf800b54) at ../../latest/Src/params.c:1423
#8  0x808c81d in getnparam (s=0x401e09b3 "") at ../../latest/Src/params.c:1655
#9  0x808100a in mathparse (pc=17) at ../../latest/Src/math.c:1011
#10 0x8080be2 in mathevall (s=0x80e5890 "foo", prek=17, ep=0xbf8012a8)
    at ../../latest/Src/math.c:888
#11 0x8080d13 in matheval (s=0x80e5890 "foo") at ../../latest/Src/math.c:923
#12 0x808bc5b in getnumvalue (v=0xbf801324) at ../../latest/Src/params.c:1423
#13 0x808c81d in getnparam (s=0x401e09ab "") at ../../latest/Src/params.c:1655
#14 0x808100a in mathparse (pc=17) at ../../latest/Src/math.c:1011
#15 0x8080be2 in mathevall (s=0x80e5890 "foo", prek=17, ep=0xbf801a78)
    at ../../latest/Src/math.c:888

... and so on ...

-- 
Alexandre Duret-Lutz