SegFault in stringsubst

[Andrew Waldron <a.a.w@gmx.us>]

Hi workers,

I'm getting a segfault in stringsubst when using process substitution
with anonymous functions.

I tried this with 5.0.5 and the head of git:
"() (print $1) <(:)" segfaults
"() {print $1} <(:)" works correctly.

There is also a segfault if you accidentally use process substitution
for a function name:
"function <(:) print" segfaults
"function <(:) {:}" does not segfault.

The segfault is on "restlen = strlen(rest);" when rest is uninitialised.

I made the changes below and it seemed to fix the issue.

Hope this helps,

Andrew.

diff --git a/Src/exec.c b/Src/exec.c
index f16cfd3..bf784bc 100644
--- a/Src/exec.c
+++ b/Src/exec.c
@@ -3867,8 +3867,10 @@ getoutputfile(char *cmd, char **eptr)
     int fd;
     char *s;
 
-    if (thisjob == -1)
+    if (thisjob == -1){
+	zerr("process substitution %s cannot be used here", cmd);
 	return NULL;
+    }
     if (!(prog = parsecmd(cmd, eptr)))
 	return NULL;
     if (!(nam = gettempname(NULL, 0)))
@@ -3939,11 +3941,13 @@ namedpipe(void)
     char *tnam = gettempname(NULL, 1);
 
 # ifdef HAVE_MKFIFO
-    if (mkfifo(tnam, 0600) < 0)
+    if (mkfifo(tnam, 0600) < 0){
 # else
-    if (mknod(tnam, 0010600, 0) < 0)
+    if (mknod(tnam, 0010600, 0) < 0){
 # endif
+	zerr("failed to create named pipe: %s, %e", tnam, errno);
 	return NULL;
+    }
     return tnam;
 }
 #endif /* ! PATH_DEV_FD && HAVE_FIFOS */
@@ -3966,9 +3970,10 @@ getproc(char *cmd, char **eptr)
 
 #ifndef PATH_DEV_FD
     int fd;
-
-    if (thisjob == -1)
+    if (thisjob == -1) {
+	zerr("process substitution %s cannot be used here", cmd);
 	return NULL;
+    }
     if (!(pnam = namedpipe()))
 	return NULL;
     if (!(prog = parsecmd(cmd, eptr)))
@@ -3993,8 +3998,10 @@ getproc(char *cmd, char **eptr)
 #else /* PATH_DEV_FD */
     int pipes[2], fd;
 
-    if (thisjob == -1)
+    if (thisjob == -1) {
+	zerr("process substitution %s cannot be used here", cmd);
 	return NULL;
+    }
     pnam = hcalloc(strlen(PATH_DEV_FD) + 6);
     if (!(prog = parsecmd(cmd, eptr)))
 	return NULL;
diff --git a/Src/parse.c b/Src/parse.c
index f0d0855..530a070 100644
--- a/Src/parse.c
+++ b/Src/parse.c
@@ -1471,7 +1471,6 @@ par_funcdef(int *complex)
 	if (num == 0) {
 	    /* Anonymous function, possibly with arguments */
 	    incmdpos = 0;
-	    *complex = 1;
 	}
 	zshlex();
     } else if (unset(SHORTLOOPS)) {
@@ -1503,6 +1502,7 @@ par_funcdef(int *complex)
 	    num++;
 	    zshlex();
 	}
+	*complex = (num > 0);
 	ecbuf[parg] = ecused - parg; /*?*/
 	ecbuf[parg+1] = num;
     }
@@ -1736,7 +1736,6 @@ par_simple(int *complex, int nr)
 		if (argc == 0) {
 		    /* Anonymous function, possibly with arguments */
 		    incmdpos = 0;
-		    *complex = 1;
 		}
 		zshlex();
 	    } else {
@@ -1776,6 +1775,7 @@ par_simple(int *complex, int nr)
 		    argc++;
 		    zshlex();
 		}
+		*complex = (argc > 0);
 		ecbuf[parg] = ecused - parg; /*?*/
 		ecbuf[parg+1] = argc;
 	    }
diff --git a/Src/subst.c b/Src/subst.c
index cc5df3f..4713502 100644
--- a/Src/subst.c
+++ b/Src/subst.c
@@ -169,7 +169,7 @@ stringsubst(LinkList list, LinkNode node, int pf_flags, int asssub)
 	    if (errflag)
 		return NULL;
 	    if (!subst)
-		subst = "";
+		rest = subst = "";
 
 	    sublen = strlen(subst);
 	    restlen = strlen(rest);
diff --git a/Test/C04funcdef.ztst b/Test/C04funcdef.ztst
index 706aa28..a266031 100644
--- a/Test/C04funcdef.ztst
+++ b/Test/C04funcdef.ztst
@@ -208,6 +208,11 @@
 >Da de da
 >Do be do
 
+  () (cat $1 $2) <(print process expanded) =(print expanded to file)
+0:Process substitution with anonymous functions
+>process expanded
+>expanded to file
+
   () { print This has arguments $*; } of all sorts; print After the function
   function { print More stuff $*; } and why not; print Yet more
 0:Anonymous function with arguments