* Another Zsh parser segmentation fault (heredoc) @ 2017-05-08 13:49 ` Eduardo Bustamante 2017-05-08 16:45 ` Peter Stephenson 0 siblings, 1 reply; 2+ messages in thread From: Eduardo Bustamante @ 2017-05-08 13:49 UTC (permalink / raw) To: zsh-workers dualbus@debian:~/src/zsh/zsh$ git rev-parse HEAD f25d01a97c61fdac5d6e0a6a8fb63b5b2b5f3393 dualbus@debian:~/bash-fuzzing/zsh-parser$ cat -v getredirs 0 {^X}<<0 dualbus@debian:~/bash-fuzzing/zsh-parser$ base64 getredirs MCB7GH08PDAK (gdb) r -n getredirs Starting program: /home/dualbus/src/zsh/zsh/Src/zsh -n getredirs [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. strlen () at ../sysdeps/x86_64/strlen.S:106 106 ../sysdeps/x86_64/strlen.S: No such file or directory. (gdb) bt #0 strlen () at ../sysdeps/x86_64/strlen.S:106 #1 0x00000000004c38e5 in taddstr (s=0x800035df20d2 <error: Cannot access memory at address 0x800035df20d2>) at text.c:148 #2 0x00000000004c3df9 in taddlist (state=0x7fffffffcc28, num=0) at text.c:174 #3 0x00000000004c1b72 in gettext2 (state=0x7fffffffcc28) at text.c:510 #4 0x00000000004c3150 in getjobtext (prog=0x7ffff7e5b360, c=0x7ffff7e5b3a4) at text.c:337 #5 0x000000000043b78b in execpline2 (state=0x7fffffffde20, pcode=131, how=18, input=0, output=0, last1=0) at exec.c:1865 #6 0x0000000000433f6e in execpline (state=0x7fffffffde20, slcode=9218, how=18, last1=0) at exec.c:1602 #7 0x0000000000432dfe in execlist (state=0x7fffffffde20, dont_change_job=0, exiting=0) at exec.c:1360 #8 0x000000000043277e in execode (p=0x7ffff7e5b360, dont_change_job=0, exiting=0, context=0x4d90c4 "toplevel") at exec.c:1141 #9 0x000000000045e366 in loop (toplevel=1, justonce=0) at init.c:208 #10 0x00000000004627d6 in zsh_main (argc=3, argv=0x7fffffffe448) at init.c:1692 #11 0x0000000000411a32 in main (argc=3, argv=0x7fffffffe448) at ./main.c:93 ^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Another Zsh parser segmentation fault (heredoc) 2017-05-08 13:49 ` Another Zsh parser segmentation fault (heredoc) Eduardo Bustamante @ 2017-05-08 16:45 ` Peter Stephenson 0 siblings, 0 replies; 2+ messages in thread From: Peter Stephenson @ 2017-05-08 16:45 UTC (permalink / raw) To: zsh-workers; +Cc: Eduardo Bustamante On Mon, 8 May 2017 08:49:49 -0500 Eduardo Bustamante <dualbus@gmail.com> wrote: > dualbus@debian:~/src/zsh/zsh$ git rev-parse HEAD > f25d01a97c61fdac5d6e0a6a8fb63b5b2b5f3393 > > dualbus@debian:~/bash-fuzzing/zsh-parser$ cat -v getredirs > 0 {^X}<<0 That's an ASCII character 24 but any single non-identifier character triggers the underlying bug. There's an off-by-one in the test for the argument, or, to use the technical phrase, crap programming. This isn't a syntax error as the {varid} syntax was added quite late, so it errs on the side of leaving irrelevant arguments alone. pws diff --git a/Src/parse.c b/Src/parse.c index b0de9a8..8769baa 100644 --- a/Src/parse.c +++ b/Src/parse.c @@ -1836,7 +1836,7 @@ par_simple(int *cmplx, int nr) if (*ptr == Outbrace && ptr > tokstr + 1) { - if (itype_end(tokstr+1, IIDENT, 0) >= ptr - 1) + if (itype_end(tokstr+1, IIDENT, 0) >= ptr) { char *toksave = tokstr; char *idstring = dupstrpfx(tokstr+1, eptr-tokstr-1); diff --git a/Test/A04redirect.ztst b/Test/A04redirect.ztst index 2671080..cb82751 100644 --- a/Test/A04redirect.ztst +++ b/Test/A04redirect.ztst @@ -165,6 +165,15 @@ ?About to close a second time *?\(eval\):*: failed to close file descriptor * + eval $'fn-varid() { print {\x18}<<0 }' + { which -x2 fn-varid; fn-varid } | tr $'\x18' '?' +0:Regression test for off-by-one in varid check +>fn-varid () { +> print {?} <<0 +>0 +>} +>{?} + print foo >&- 0:'>&-' redirection ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-05-08 16:45 UTC | newest] Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <CGME20170508135047epcas1p1387b0bef4ef63d286a47d043880b3ce9@epcas1p1.samsung.com> 2017-05-08 13:49 ` Another Zsh parser segmentation fault (heredoc) Eduardo Bustamante 2017-05-08 16:45 ` Peter Stephenson
Code repositories for project(s) associated with this public inbox https://git.vuxu.org/mirror/zsh/ This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).