An amusing way to crash zsh

An amusing way to crash zsh

[Christian Neukirchen]

Hi,

toying around on #zsh derf0 and I found the following commands which
crash zsh:

zsh --version
zsh 5.0.2 (x86_64-unknown-linux-gnu)

juno% ${:wq}

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff721aaa1 in __strlen_sse2_pminub () from /usr/lib/libc.so.6
(gdb) bt
#0  0x00007ffff721aaa1 in __strlen_sse2_pminub () from /usr/lib/libc.so.6
#1  0x000000000047ac6a in ?? ()
#2  0x000000000047ddad in prefork ()
#3  0x00000000004290e8 in ?? ()
#4  0x000000000042b866 in ?? ()
#5  0x000000000042bdaf in ?? ()
#6  0x000000000042cf5f in execlist ()
#7  0x000000000042d47d in execode ()
#8  0x000000000043d972 in loop ()
#9  0x0000000000440b1e in zsh_main ()
#10 0x00007ffff70eca15 in __libc_start_main () from /usr/lib/libc.so.6
#11 0x000000000040f3d1 in _start ()

This is the stripped down version of the next command, probably
segfaulting for the same reason:

juno% setopt histsubstpattern; echo ${:wF:3:s/%/foo}

Program received signal SIGSEGV, Segmentation fault.
0x00000000004864a0 in findword ()
(gdb) bt
#0  0x00000000004864a0 in findword ()
#1  0x000000000047841f in modify ()
#2  0x000000000047b916 in ?? ()
#3  0x000000000047ddad in prefork ()
#4  0x00000000004290e8 in ?? ()
#5  0x000000000042b866 in ?? ()
#6  0x000000000042bdaf in ?? ()
#7  0x000000000042cf5f in execlist ()
#8  0x000000000042d47d in execode ()
#9  0x000000000043d972 in loop ()
#10 0x0000000000440b1e in zsh_main ()
#11 0x00007ffff70eca15 in __libc_start_main () from /usr/lib/libc.so.6
#12 0x000000000040f3d1 in _start ()

the bug also has been reproduced with
zsh 5.0.2-dev-0 (x86_64-unknown-linux-gnu) at GIT checkout 27c5a0d77.
and zsh 4.3.10 (i686-pc-linux-gnu)

:wq,
-- 
Christian Neukirchen  <chneukirchen@gmail.com>  http://chneukirchen.org

Re: An amusing way to crash zsh

[Peter Stephenson]

On Mon, 21 Jan 2013 22:37:04 +0100
Christian Neukirchen <chneukirchen@gmail.com> wrote:
> toying around on #zsh derf0 and I found the following commands which
> crash zsh:
> 
> juno% ${:wq}

It looks like the culprit is modify(), which is passing back a NULL
pointer --- in parameter handling we should always turn this into an
empty string instead.

This should make other such cases less horrific but print an error in
debug mode to trap the problem.

> juno% setopt histsubstpattern; echo ${:wF:3:s/%/foo}

I think that's fixed in the same way:  at least it doesn't crash any
more, whatever the hell it does.

Index: Src/subst.c
===================================================================
RCS file: /cvsroot/zsh/zsh/Src/subst.c,v
retrieving revision 1.139
diff -p -u -r1.139 subst.c
--- Src/subst.c	5 Oct 2012 21:35:06 -0000	1.139
+++ Src/subst.c	22 Jan 2013 16:19:41 -0000
@@ -3707,6 +3707,11 @@ paramsubst(LinkList l, LinkNode n, char 
 	char *y;
 
 	x = val;
+	if (!x) {
+	    /* Shouldn't have got here with a NULL string. */
+	    DPUTS(1, "value is NULL in paramsubst");
+	    return NULL;
+	}
 	if (prenum || postnum)
 	    x = dopadding(x, prenum, postnum, preone, postone,
 			  premul, postmul
@@ -4021,7 +4026,10 @@ modify(char **str, char **ptr)
 		    all = tmp;
 		    t = e;
 		}
-		*str = all;
+		if (!all)
+		    *str = dupstring("");
+		else
+		    *str = all;
 
 	    } else {
 		switch (c) {
Index: Test/D04parameter.ztst
===================================================================
RCS file: /cvsroot/zsh/zsh/Test/D04parameter.ztst,v
retrieving revision 1.68
diff -p -u -r1.68 D04parameter.ztst
--- Test/D04parameter.ztst	1 May 2012 19:43:44 -0000	1.68
+++ Test/D04parameter.ztst	22 Jan 2013 16:19:41 -0000
@@ -1544,3 +1544,10 @@
 0:Regression test for shwordsplit with null or unset IFS and quoted array
 >abc
 >a b c
+
+   foo=
+   print ${foo:wq}
+   print ${:wq}
+0:Empty parameter shouldn't cause modifiers to crash the shell
+>
+>


pws