From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 7110 invoked by alias); 1 Oct 2015 15:13:51 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 36737 Received: (qmail 5878 invoked from network); 1 Oct 2015 15:13:49 -0000 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.0 X-AuditID: cbfec7f4-f79c56d0000012ee-03-560d4da9c1b7 Date: Thu, 01 Oct 2015 16:13:41 +0100 From: Peter Stephenson To: zsh-workers@zsh.org Subject: Re: Heap corruption [the thread formerly known as substitution] Message-id: <20151001161341.6a15f3c6@pwslap01u.europe.root.pri> In-reply-to: <20151001152823.19512ecd@pwslap01u.europe.root.pri> References: <150926134410.ZM17546@torch.brasslantern.com> <150927091121.ZM25721@torch.brasslantern.com> <20150928095142.385a33eb@pwslap01u.europe.root.pri> <20150928202312.6679b38e@ntlworld.com> <20150929094436.32b62692@pwslap01u.europe.root.pri> <20150929193726.38235c76@ntlworld.com> <150929122356.ZM30421@torch.brasslantern.com> <20150930095950.6c9c583b@pwslap01u.europe.root.pri> <20150930150433.21f70e13@pwslap01u.europe.root.pri> <150930141937.ZM22962@torch.brasslantern.com> <20151001094140.413b5401@pwslap01u.europe.root.pri> <20151001152823.19512ecd@pwslap01u.europe.root.pri> Organization: Samsung Cambridge Solution Centre X-Mailer: Claws Mail 3.7.9 (GTK+ 2.22.0; i386-redhat-linux-gnu) MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrMLMWRmVeSWpSXmKPExsVy+t/xy7orfXnDDFb+MbE42PyQyYHRY9XB D0wBjFFcNimpOZllqUX6dglcGW/On2Yv+MVdceXpPLYGxkmcXYwcHBICJhLrd6h2MXICmWIS F+6tZ+ti5OIQEljKKPF542UWCGcGk8SDE5PYIZytjBKN0zqZQFpYBFQlXj/9zgJiswkYSkzd NJsRxBYREJc4u/Y8WFxYwEPi54bfzCDbeAXsJa5uUgAJcwo4SJx+sZsRYuZ7VoljTzaygST4 BfQlrv79xARxkr3EzCtnwGbyCghK/Jh8D2wms4CWxOZtTawQtrzE5jVvmUFsIQF1iRt3d7NP YBSahaRlFpKWWUhaFjAyr2IUTS1NLihOSs811CtOzC0uzUvXS87P3cQICdovOxgXH7M6xCjA wajEw3swhSdMiDWxrLgy9xCjBAezkgjvLTfeMCHelMTKqtSi/Pii0pzU4kOM0hwsSuK8c3e9 DxESSE8sSc1OTS1ILYLJMnFwSjUwupYFpCv9qznQv6/l3fUopqCOXa/m+6/h5jOumHfgz8o1 7z54+d9QSMtJl/rn/yr0vE28wc2OKXdPzzFW87ZMrT0qW9HBfz6iIH1+mN71GRMXiUnf42PO e/n4DPPWBIdZCVOS30hc4kwq33zglXnItr2b5zSYLiksKLtZ8KP195wvZ9+knT20VImlOCPR UIu5qDgRAKnm2uVWAgAA On Thu, 1 Oct 2015 15:28:23 +0100 Peter Stephenson wrote: > That "alloc" is what gdb, valgrind and the OS itself agree is out of > bounds. Sure enough, the sums say the heap finishes at 0x2b98ac555000, > heap + 16384 or equivalently arena + 16344. Likely this is the last > heap allocated. More news: Penny Finally Drops. Yes, the pointer isn't usable --- but the length is zero so it can't be dereferenced anyway. A pointer one off the end of a valid range is valid as long it's not dereferenced, so only the pattern code needs fixing. Was broken regardless of heap storage, that just showed it up. pws diff --git a/Src/pattern.c b/Src/pattern.c index 68a3409..53bbd14 100644 --- a/Src/pattern.c +++ b/Src/pattern.c @@ -2224,8 +2224,10 @@ pattryrefs(Patprog prog, char *string, int stringlen, int unmetalenin, maxnpos = *nump; *nump = 0; } - /* inherited from domatch, but why, exactly? */ - if (*string == Nularg) { + /* + * Special signalling of empty tokinised string. + */ + if ((!patstralloc || stringlen > 0) && *string == Nularg) { string++; if (unmetalenin > 0) unmetalenin--; @@ -2233,8 +2235,10 @@ pattryrefs(Patprog prog, char *string, int stringlen, int unmetalenin, stringlen--; } - if (stringlen < 0) + if (stringlen < 0) { + DPUTS(patstralloc != NULL, "length needed with patstralloc"); stringlen = strlen(string); + } origlen = stringlen; if (patstralloc) {