segfault completing "foo$"

segfault completing "foo$"

[Clint Adams]

Type "foo$"<TAB><TAB><TAB> (1-3 tabs, depending on setup, I think) to segfault zsh.

#0  0x00002b994d4b47d3 in memcpy () from /lib/libc.so.6
#1  0x000000000046c6ba in dupstrpfx (s=0x77fea1 "foo$\"_", len=<value optimized out>) at ../../Src/string.c:146
#2  0x00002b994e210e37 in do_single (m=0x75f170) at ../../../Src/Zle/compresult.c:1154
#3  0x00002b994e211dda in do_ambig_menu () at ../../../Src/Zle/compresult.c:1403
#4  0x00002b994e211925 in do_ambiguous () at ../../../Src/Zle/compresult.c:767
#5  0x00002b994e2079ed in do_completion (dummy=<value optimized out>, dat=<value optimized out>) at ../../../Src/Zle/compcore.c:401
#6  0x00002b994dfddcf3 in docompletion (s=<value optimized out>, lst=<value optimized out>, incmd=-8)
    at ../../../Src/Zle/zle_tricky.c:2035
#7  0x00002b994dfe1022 in docomplete (lst=3) at ../../../Src/Zle/zle_tricky.c:842
#8  0x00002b994dfdbdb0 in completecall (args=<value optimized out>) at ../../../Src/Zle/zle_tricky.c:208
#9  0x00002b994dfd08a6 in execzlefunc (func=0x2b994e1ee4f0, args=0x2b994e1f3440, set_bindk=0) at ../../../Src/Zle/zle_main.c:1254
#10 0x00002b994dfd0a9d in zlecore () at ../../../Src/Zle/zle_main.c:1019
#11 0x00002b994dfd10db in zleread (lp=<value optimized out>, rp=<value optimized out>, flags=<value optimized out>, 
    context=<value optimized out>) at ../../../Src/Zle/zle_main.c:1174
#12 0x000000000043d080 in ingetc () at ../../Src/input.c:278
#13 0x0000000000437f1a in ihgetc () at ../../Src/hist.c:240
#14 0x0000000000445a5b in gettok () at ../../Src/lex.c:630
#15 0x0000000000446258 in yylex () at ../../Src/lex.c:345
#16 0x0000000000461867 in parse_event () at ../../Src/parse.c:451
#17 0x000000000043baa8 in loop (toplevel=1, justonce=0) at ../../Src/init.c:128
#18 0x000000000043c80c in zsh_main (argc=<value optimized out>, argv=0x7fff5e183d58) at ../../Src/init.c:1347
#19 0x00002b994d457b44 in __libc_start_main () from /lib/libc.so.6
#20 0x000000000040f5b9 in _start ()

Re: segfault completing "foo$"

[Peter Stephenson]

On Wed, 22 Aug 2007 12:02:37 -0400
Clint Adams <clint@zsh.org> wrote:
> Type "foo$"<TAB><TAB><TAB> (1-3 tabs, depending on setup, I think) to
> segfault zsh.

That's never been properly handled, I don't think, but in 4.2 it didn't
cause a segfault, simply assigned a duff number in the parameter suffix
table.  The code implies that could do dire things later on, but I don't
know if it did.  Now we actually use the invalid value for creating a
prefix string to analyse, which causes the crash.  I think the immediate
fix is simply "don't do that".  I don't think parameter completion should
even be active in this case, but there's no way I'm going down that route.
This parq business is in the "not even obscure" category.

Index: Src/Zle/compresult.c
===================================================================
RCS file: /cvsroot/zsh/zsh/Src/Zle/compresult.c,v
retrieving revision 1.71
diff -u -r1.71 compresult.c
--- Src/Zle/compresult.c	28 May 2007 13:08:48 -0000	1.71
+++ Src/Zle/compresult.c	22 Aug 2007 16:47:57 -0000
@@ -1148,7 +1148,7 @@
 		makesuffixstr(m->remf, m->rems, 1);
 	}
     }
-    if (minfo.we && partest && isset(AUTOPARAMKEYS)) {
+    if (minfo.we && partest && isset(AUTOPARAMKEYS) && minfo.insc - parq > 0) {
 	/* the suffix code needs numbers of characters, not octets */
 	int outlen;
 	char *tmpstr = dupstrpfx(zlemetaline + parq, minfo.insc - parq);

-- 
Peter Stephenson <pws@csr.com>                  Software Engineer
CSR PLC, Churchill House, Cambridge Business Park, Cowley Road
Cambridge, CB4 0WZ, UK                          Tel: +44 (0)1223 692070


.