Segfault because metafy() writes to a const char

zsh-workers
 help / color / mirror / code / Atom feed

From: Theo Buehler <theo@math.ethz.ch>
To: <zsh-workers@zsh.org>
Cc: <pea@openbsd.org>
Subject: Segfault because metafy() writes to a const char
Date: Wed, 18 Feb 2015 16:30:12 +0100	[thread overview]
Message-ID: <20150218153012.GB18324@math.ethz.ch> (raw)

When trying to load a non-existent module with

% zmodload bla

both with zsh versions 5.0.5 and 5.0.7 on OpenBSD 5.7 (-current), zsh
crashes and dumps core.


Here's a backtrace of the crash

#0  0x0000176db68ab49f in metafy (buf=0x17700e20cfdf "File not found", len=14, heap=1) at utils.c:4116
4116        *e = '\0';
(gdb) bt
#0  0x0000176db68ab49f in metafy (buf=0x17700e20cfdf "File not found", len=14, heap=1) at utils.c:4116
#1  0x0000176db686ad2a in do_load_module (name=0x17702e8d7a38 "bla", silent=0) at module.c:1600
#2  0x0000176db686b9b8 in load_module (name=0x17702e8d7a38 "bla", enablesarr=0x0, silent=0)
    at module.c:2202
#3  0x0000176db686c523 in require_module (module=0x17702e8d7a38 "bla", features=0x0) at module.c:2335
#4  0x0000176db686dfc5 in bin_zmodload_load (nam=0x17702e8d7a28 "zmodload", args=0x17702e8d7a48,
    ops=0x7f7fffff9050) at module.c:2971
#5  0x0000176db686cce2 in bin_zmodload (nam=0x17702e8d7a28 "zmodload", args=0x17702e8d7a48,
    ops=0x7f7fffff9050, func=0) at module.c:2486
#6  0x0000176db6817ff0 in execbuiltin (args=0x17702e8d79e0, bn=0x176db6abb400) at builtin.c:450
#7  0x0000176db6835f19 in execcmd (state=0x7f7fffff9710, input=0, output=0, how=18, last1=2)
    at exec.c:3378
#8  0x0000176db6830e6f in execpline2 (state=0x7f7fffff9710, pcode=131, how=18, input=0, output=0, last1=0)
    at exec.c:1697
#9  0x0000176db68302a8 in execpline (state=0x7f7fffff9710, slcode=4098, how=18, last1=0) at exec.c:1484
#10 0x0000176db682f9e3 in execlist (state=0x7f7fffff9710, dont_change_job=0, exiting=0) at exec.c:1267
#11 0x0000176db682f309 in execode (p=0x17702e8d7918, dont_change_job=0, exiting=0,
    context=0x176db69b35d7 "toplevel") at exec.c:1073
#12 0x0000176db684f1bb in loop (toplevel=1, justonce=0) at init.c:185
#13 0x0000176db6852f1d in zsh_main (argc=1, argv=0x7f7fffff9898) at init.c:1638
#14 0x0000176db68174df in main (argc=1, argv=0x7f7fffff9898) at ./main.c:93
(gdb) %


The following patch fixes this problem for me, however, it effectively
undoes a patch discussed in this thread:


http://www.zsh.org/mla/workers/2013/msg01089.html

and, especially here:

http://www.zsh.org/mla/workers/2013/msg01091.html




--- Src/utils.c.orig    Wed Feb 18 15:32:20 2015
+++ Src/utils.c Wed Feb 18 15:32:44 2015
@@ -4069,7 +4069,7 @@ metafy(char *buf, int len, int heap)
            if (imeta(*e++))
                meta++;

-    if (meta || heap == META_DUP || heap == META_HEAPDUP) {
+    if (meta || heap == META_DUP || heap == META_HEAPDUP || *e != '\0') {
        switch (heap) {
        case META_REALLOC:
            buf = zrealloc(buf, len + meta + 1);
@@ -4112,8 +4112,8 @@ metafy(char *buf, int len, int heap)
                meta--;
            }
        }
+       *e = '\0';
     }
-    *e = '\0';
     return buf;
 }

next             reply	other threads:[~2015-02-18 15:38 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-02-18 15:30 Theo Buehler [this message]
2015-02-18 16:49 ` Bart Schaefer
2015-02-19  9:52   ` Theo Buehler

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150218153012.GB18324@math.ethz.ch \
    --to=theo@math.ethz.ch \
    --cc=pea@openbsd.org \
    --cc=zsh-workers@zsh.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).