* PATCH: NULL-Pointer dereference in complist.c
@ 2007-02-02 22:45 ` Felix Eckhofer
2007-02-02 23:50 ` Peter Stephenson
0 siblings, 1 reply; 2+ messages in thread
From: Felix Eckhofer @ 2007-02-02 22:45 UTC (permalink / raw)
To: zsh-workers
[-- Attachment #1.1: Type: text/plain, Size: 958 bytes --]
Hi everyone.
Just recently I started to enjoy the wonders of zsh and it is definitely
the best shell I have used so far. Thanks for a great piece of
software!
However, I was quickly able to reproduce a segfault on my machine
(Ubuntu 6.10, zsh 4.3.2-13ubuntu1, x86_64). It happens, because at
complist.c:1848 s == NULL. I wasn't able to understand completely what
happens but the attached patch works for me and seems reasonable.
Unfortunately, CVS seems down for the moment so I couldn't check whether
this is already fixed in HEAD. If it is, ignore me :)
Steps to reproduce:
1) Open the menu completion in interactive mode.
2) Press backspace.
I've also attached the backtrace. Let me know if you need any further
information.
best regards,
felix
--
felix_eckhofer * [fli4l-/eis-team] * ICQ#_59008162
"Ein Betriebssystem sie zu knechten, sie alle zu finden,
ins Dunkle zu treiben und ewig zu binden..."
[-- Attachment #1.2: zsh_nullpointer_msearchpop.patch --]
[-- Type: text/x-diff, Size: 309 bytes --]
--- zsh-4.2.6/Src/Zle/complist.c 2005-04-25 12:20:00.000000000 +0200
+++ zsh-4.2.6-patched/Src/Zle/complist.c 2007-02-02 23:06:36.000000000 +0100
@@ -1845,6 +1845,9 @@
{
Menusearch s = msearchstack;
+ if (!s)
+ return NULL;
+
if (s->prev)
msearchstack = s->prev;
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.3: gdb.log --]
[-- Type: text/x-log; charset="us-ascii"; name="gdb.log", Size: 5370 bytes --]
GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) run
Starting program: /usr/local/bin/zsh
Program received signal SIGSEGV, Segmentation fault.
0x00002b5fcaed3658 in msearchpop (backp=0x7fffe0c27938) at complist.c:1848
1848 if (s->prev)
(gdb)
(gdb) bt
#0 0x00002b5fcaed3658 in msearchpop (backp=0x7fffe0c27938) at complist.c:1848
#1 0x00002b5fcaed749d in domenuselect (dummy=0x2b5fcadc1968, dat=0x7fffe0c27b00) at complist.c:2832
#2 0x000000000045d873 in runhookdef (h=0x2b5fcadc1968, d=0x7fffe0c27b00) at module.c:1859
#3 0x00002b5fcaca5a9a in after_complete (dummy=0x2b5fcab8cc98, dat=0x7fffe0c27ba0) at compcore.c:496
#4 0x000000000045d8dd in runhookdef (h=0x2b5fcab8cc98, d=0x7fffe0c27ba0) at module.c:1865
#5 0x00002b5fcaa73f38 in docomplete (lst=0) at zle_tricky.c:824
#6 0x00002b5fcaa72616 in expandorcomplete (args=0x2b5fcab8d0e0) at zle_tricky.c:288
#7 0x00002b5fcaa721dd in completecall (args=0x2b5fcab8d0e0) at zle_tricky.c:182
#8 0x00002b5fcaa64a2c in execzlefunc (func=0x2b5fcab89d58, args=0x2b5fcab8d0e0) at zle_main.c:933
#9 0x00002b5fcaa63f92 in zlecore () at zle_main.c:709
#10 0x00002b5fcaa646bc in zleread (lp=0x5c0e30, rp=0x5c0d68, flags=3, context=0) at zle_main.c:863
#11 0x0000000000443a18 in inputline () at input.c:278
#12 0x00000000004438a5 in ingetc () at input.c:214
#13 0x00000000004398b5 in ihgetc () at hist.c:241
#14 0x000000000044d016 in gettok () at lex.c:631
#15 0x000000000044c776 in yylex () at lex.c:347
#16 0x000000000046a30f in parse_event () at parse.c:449
#17 0x00000000004406c5 in loop (toplevel=1, justonce=0) at init.c:128
#18 0x00000000004433f7 in zsh_main (argc=1, argv=0x7fffe0c282b8) at init.c:1280
#19 0x000000000040d0f3 in main (argc=1, argv=0x7fffe0c282b8) at ./main.c:93
(gdb) bt full
#0 0x00002b5fcaed3658 in msearchpop (backp=0x7fffe0c27938) at complist.c:1848
s = (Menusearch) 0x0
#1 0x00002b5fcaed749d in domenuselect (dummy=0x2b5fcadc1968, dat=0x7fffe0c27b00) at complist.c:2832
back = 0
np = (Cmatch **) 0x7fffe0c279b0
p = (Cmatch **) 0x62db60
pg = (Cmgroup *) 0x62c3a0
cmd = (Thingy) 0x2b5fcab89790
do_last_key = 0
u = (Menustack) 0x0
i = 1
acc = 0
wishcol = 0
setwish = 0
oe = 0
wasnext = 0
space = 39
lbeg = 0
step = 1
wrap = -524125712
pl = 1
broken = 0
first = 0
nolist = 0
mode = 2
modecs = 14
modell = 14
modelen = 10
s = 0x62f4f0 "search-forward"
status = "isearch: \000éÉ_+\000\000\016\000\000\000\000\000\000\000ðÿÿÿÿÿÿÿ\016\000\000\000\000\000\000\000 µb", '\0' <repeats 22 times>, "\200pÊ_+\000\000\000X_\000\000\000\000\000ðzÂàÿ\177\000\000eXÊÊ_+\000\000\000\000\000\000\000\000\000\000Àq^\000\000\000\000\000\001\000\000\000\002\000\000\000\002\000\000\000\002\000\000"
modeline = 0x2b5fca7081c0 "cd chrono-zsh/"
fdat = (Chdata) 0x7fffe0c27b00
lastsearch = 0x0
#2 0x000000000045d873 in runhookdef (h=0x2b5fcadc1968, d=0x7fffe0c27b00) at module.c:1859
p = (LinkNode) 0x5dfbd0
r = 11103
#3 0x00002b5fcaca5a9a in after_complete (dummy=0x2b5fcab8cc98, dat=0x7fffe0c27ba0) at compcore.c:496
cdat = {matches = 0x63ea30, num = 11, nmesg = 0, cur = 0x0}
ret = 11103
#4 0x000000000045d8dd in runhookdef (h=0x2b5fcab8cc98, d=0x7fffe0c27ba0) at module.c:1865
No locals.
#5 0x00002b5fcaa73f38 in docomplete (lst=0) at zle_tricky.c:824
s = 0x6190e0 ' ' <repeats 14 times>
ol = 0x0
olst = 4
chl = 0
ne = 0
ocs = 3
ret = 0
dat = {0, 0}
active = 1
#6 0x00002b5fcaa72616 in expandorcomplete (args=0x2b5fcab8d0e0) at zle_tricky.c:288
ret = 11103
#7 0x00002b5fcaa721dd in completecall (args=0x2b5fcab8d0e0) at zle_tricky.c:182
No locals.
#8 0x00002b5fcaa64a2c in execzlefunc (func=0x2b5fcab89d58, args=0x2b5fcab8d0e0) at zle_main.c:933
atcurhist = 1
wflags = 134
r = 0
ret = 0
w = (Widget) 0x5f53e0
#9 0x00002b5fcaa63f92 in zlecore () at zle_main.c:709
No locals.
#10 0x00002b5fcaa646bc in zleread (lp=0x5c0e30, rp=0x5c0d68, flags=3, context=0) at zle_main.c:863
s = (unsigned char *) 0x0
old_errno = 0
tmout = 0
initthingy = (Thingy) 0x0
#11 0x0000000000443a18 in inputline () at input.c:278
flags = 3
ingetcline = 0x0
ingetcpmptl = (char **) 0x5c0e30
ingetcpmptr = (char **) 0x5c0d68
context = 0
#12 0x00000000004438a5 in ingetc () at input.c:214
lastc = 0
#13 0x00000000004398b5 in ihgetc () at hist.c:241
c = 0
#14 0x000000000044d016 in gettok () at lex.c:631
c = 0
d = 0
peekfd = -1
peek = 0
#15 0x000000000044c776 in yylex () at lex.c:347
No locals.
#16 0x000000000046a30f in parse_event () at parse.c:449
No locals.
#17 0x00000000004406c5 in loop (toplevel=1, justonce=0) at init.c:128
prog = (Eprog) 0x5d9490
#18 0x00000000004433f7 in zsh_main (argc=1, argv=0x7fffe0c282b8) at init.c:1280
t = (char **) 0x7fffe0c282c0
t0 = 156
#19 0x000000000040d0f3 in main (argc=1, argv=0x7fffe0c282b8) at ./main.c:93
No locals.
(gdb) quit
The program is running. Exit anyway? (y or n)
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: PATCH: NULL-Pointer dereference in complist.c
2007-02-02 22:45 ` PATCH: NULL-Pointer dereference in complist.c Felix Eckhofer
@ 2007-02-02 23:50 ` Peter Stephenson
0 siblings, 0 replies; 2+ messages in thread
From: Peter Stephenson @ 2007-02-02 23:50 UTC (permalink / raw)
To: zsh-workers
Felix Eckhofer wrote:
> However, I was quickly able to reproduce a segfault on my machine
> (Ubuntu 6.10, zsh 4.3.2-13ubuntu1, x86_64). It happens, because at
> complist.c:1848 s =3D=3D NULL. I wasn't able to understand completely what
> happens but the attached patch works for me and seems reasonable.
>
> Unfortunately, CVS seems down for the moment so I couldn't check whether
> this is already fixed in HEAD. If it is, ignore me :)
There's no corresponding fix yet, but the code is pretty much the same at
that point, so, although I couldn't get it to happen with a short play,
I applied your patch, which certainly looks unproblematic. Thanks.
--
Peter Stephenson <p.w.stephenson@ntlworld.com>
Web page now at http://homepage.ntlworld.com/p.w.stephenson/
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2007-02-02 23:49 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <felix@tribut.de>
2007-02-02 22:45 ` PATCH: NULL-Pointer dereference in complist.c Felix Eckhofer
2007-02-02 23:50 ` Peter Stephenson
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).