From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-29940-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 27298 invoked by alias); 3 Dec 2011 23:04:38 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 29940
Received: (qmail 13849 invoked from network); 3 Dec 2011 23:04:27 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW
	autolearn=ham version=3.3.2
Received-SPF: neutral (ns1.primenet.com.au: 74.125.82.43 is neither permitted nor denied by SPF record at ntlworld.com)
X-ProxyUser-IP: 86.6.29.42
Date: Sat, 3 Dec 2011 22:56:10 +0000
From: Peter Stephenson <p.w.stephenson@ntlworld.com>
To: "Zsh Hackers' List" <zsh-workers@zsh.org>
Subject: Re: zsh 4.3.13 released
Message-ID: <20111203225610.2d32f20a@pws-pc.ntlworld.com>
In-Reply-To: <20111203221953.GA18173@coredump.raveland.priv>
References: <15488.1322689558@pws-pc.ntlworld.com>
	<20111203191925.GB1294@coredump.raveland.priv>
	<20111203194442.29d2f2a7@pws-pc.ntlworld.com>
	<20111203221953.GA18173@coredump.raveland.priv>
X-Mailer: Claws Mail 3.7.9 (GTK+ 2.24.7; x86_64-redhat-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Sat, 3 Dec 2011 23:19:54 +0100
ports@raveland.org wrote:
> % zmodload -i bogus/notamodule
> Segmentation fault (core dumped)
>....
> #0  0x000000000048f5bc in metafy (buf=0x207a096d7 "File not found", len=14, heap=1) at utils.c:4006
> 4006        *e = '\0';
> (gdb) bt
> #0  0x000000000048f5bc in metafy (buf=0x207a096d7 "File not found", len=14, heap=1) at utils.c:4006

heap=1 is META_USEHEAP: "get memory from the heap.  This leaves buf
unchanged."  However, the function unconditionally attempts to add nullL
termination.  A defence lawyer could probably claim that adding a null
when there was one already there wasn't actually modification.  Not sure
how we've avoided seeing this before.

It seems some parts of the code are relying on the fact that the NULL
gets added even if the string doesn't need metafying.  Treating the
absence of NULL termination as a reason for modifying the buffer was the
neatest of the three fixes I came up with.

Index: Src/utils.c
===================================================================
RCS file: /cvsroot/zsh/zsh/Src/utils.c,v
retrieving revision 1.264
diff -p -u -r1.264 utils.c
--- Src/utils.c	15 Nov 2011 15:08:57 -0000	1.264
+++ Src/utils.c	3 Dec 2011 22:51:19 -0000
@@ -3959,7 +3959,7 @@ metafy(char *buf, int len, int heap)
 	    if (imeta(*e++))
 		meta++;
 
-    if (meta || heap == META_DUP || heap == META_HEAPDUP) {
+    if (meta || heap == META_DUP || heap == META_HEAPDUP || *e != '\0') {
 	switch (heap) {
 	case META_REALLOC:
 	    buf = zrealloc(buf, len + meta + 1);
@@ -4002,8 +4002,8 @@ metafy(char *buf, int len, int heap)
 		meta--;
 	    }
 	}
+	*e = '\0';
     }
-    *e = '\0';
     return buf;
 }
 
-- 
Peter Stephenson <p.w.stephenson@ntlworld.com>
Web page now at http://homepage.ntlworld.com/p.w.stephenson/