From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-11374-mason-zsh=primenet.com.au@sunsite.auc.dk>
Received: (qmail 16597 invoked from network); 15 May 2000 11:52:36 -0000
Received: from sunsite.auc.dk (130.225.51.30)
  by ns1.primenet.com.au with SMTP; 15 May 2000 11:52:36 -0000
Received: (qmail 17786 invoked by alias); 15 May 2000 11:52:29 -0000
Mailing-List: contact zsh-workers-help@sunsite.auc.dk; run by ezmlm
Precedence: bulk
X-No-Archive: yes
X-Seq: 11374
Received: (qmail 17779 invoked from network); 15 May 2000 11:52:28 -0000
Date: Mon, 15 May 2000 13:52:17 +0200 (MET DST)
Message-Id: <200005151152.NAA18780@beta.informatik.hu-berlin.de>
From: Sven Wischnowsky <wischnow@informatik.hu-berlin.de>
To: zsh-workers@sunsite.auc.dk
In-reply-to: "Bart Schaefer"'s message of Mon, 15 May 2000 11:44:55 +0000
Subject: Re: PATCH: Re: Seg fault in matcher-list matching


Bart Schaefer wrote:

> ...
> 
> It doesn't dump for me any more, but I'm still nervous about line 1767 of
> compcore.c:
> 
> #1  0x80bd798 in addmatches (dat=0xbfffa854, argv=0xbfffa8d8)
>     at ../../../zsh-3.1.6/Src/Zle/compcore.c:1768
> 1768                if ((ml = match_str(lsuf, s, &bsl, 0, NULL, 1, 0, 1)) >= 0) {
> (gdb) l 
> 1763                    else
> 1764                        *argv = NULL;
> 1765                    bcp = lpl;
> 1766                }
> 1767                s = dat->psuf ? dat->psuf : "";
> 1768                if ((ml = match_str(lsuf, s, &bsl, 0, NULL, 1, 0, 1)) >= 0) {
> 1769                    if (matchsubs) {
> 1770                        Cline tmp = get_cline(NULL, 0, NULL, 0, NULL, 0, CLF_SUF);
> 1771
> 1772                        tmp->suffix = matchsubs;
> 
> The reported core dump was caused because match_str() wrote a '\0' byte into
> the string pointed to by its second argument [`s' above, `w' in match_str()]
> which is being passed as a string constant when dat->psuf == 0.

Yes, I know.

>  Is that a
> potential bug, still?

I'm pretty sure I made sure that we don't try to write into strings we 
can't write into with the patch I sent. But I'll also commit the one
below for some extra savety.

Bye
 Sven

Index: Src/Zle/compcore.c
===================================================================
RCS file: /cvsroot/zsh/zsh/Src/Zle/compcore.c,v
retrieving revision 1.19
diff -u -r1.19 compcore.c
--- Src/Zle/compcore.c	2000/05/12 07:03:41	1.19
+++ Src/Zle/compcore.c	2000/05/15 11:52:03
@@ -1739,7 +1739,7 @@
 		    llpl -= gfl;
 		}
 	    }
-	    s = dat->ppre ? dat->ppre : "";
+	    s = dat->ppre ? dat->ppre : dupstring("");
 	    if ((ml = match_str(lpre, s, &bpl, 0, NULL, 0, 0, 1)) >= 0) {
 		if (matchsubs) {
 		    Cline tmp = get_cline(NULL, 0, NULL, 0, NULL, 0, 0);
@@ -1757,14 +1757,14 @@
 		bpadd = strlen(s) - ml;
 	    } else {
 		if (llpl <= lpl && strpfx(lpre, s))
-		    lpre = "";
+		    lpre = dupstring("");
 		else if (llpl > lpl && strpfx(s, lpre))
 		    lpre += lpl;
 		else
 		    *argv = NULL;
 		bcp = lpl;
 	    }
-	    s = dat->psuf ? dat->psuf : "";
+	    s = dat->psuf ? dat->psuf : dupstring("");
 	    if ((ml = match_str(lsuf, s, &bsl, 0, NULL, 1, 0, 1)) >= 0) {
 		if (matchsubs) {
 		    Cline tmp = get_cline(NULL, 0, NULL, 0, NULL, 0, CLF_SUF);
@@ -1782,7 +1782,7 @@
 		bsadd = strlen(s) - ml;
 	    } else {
 		if (llsl <= lsl && strsfx(lsuf, s))
-		    lsuf = "";
+		    lsuf = dupstring("");
 		else if (llsl > lsl && strsfx(s, lsuf))
 		    lsuf[llsl - lsl] = '\0';
 		else

--
Sven Wischnowsky                         wischnow@informatik.hu-berlin.de