Zsh parser segmentation fault in strcatsub

Zsh parser segmentation fault in strcatsub

[Eduardo Bustamante]

[-- Attachment #1: Type: text/plain, Size: 5044 bytes --]

dualbus@debian:~/bash-fuzzing/zsh-parser$ base64 strcatsub
JCQwMDAwJHsoZTB6KV5ZLTAwMCR7KHopXlktMDA+AAoKCgp7MDAwMDAwfTB9MAowMH0keyUwMDAw
MDAwMDAwADAwMDAwMDAwMDAwMDAwADAwMDAwMDAwMDAwMDAwMDCKMDAwMDAwljAwlTAwMDCWlo0w
MDAwMDAwJHsoZnpmTGwwMjAwb05OgD8+JjmioqKioqIvL6KAPzBCMG1wcjAyMDAloo6iopeiT40p
M29OMGlPMCljMDAwJTAwMDAwMDAwMDAwMH2hMACHMDAwMDAwljAwh4cwMDAwMDAAMDAwMDAwMJYw
MId9MDA=

Core was generated by `/home/dualbus/src/zsh/zsh/Src/zsh -nv strcatsub'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  __strcpy_sse2_unaligned () at
../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:235
235     ../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S: No such
file or directory.
(gdb) bt
#0  __strcpy_sse2_unaligned () at
../sysdeps/x86_64/multiarch/strcpy-sse2-unaligned.S:235
#1  0x00000000004c12ab in strcatsub (d=0x7fff6a5f47b8,
    pb=0x7fa742ad6bed
"0\203\266\203\266\203\255\060\060\060\060\060\060\060\205\217\210fzfLl020000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\066\071\060\060\060\060\060\060\205\217%0000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\205\217\210fzfLl0200000"...,
    pe=0x7fa742ad6c38
"0\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\066\071\060\060\060\060\060\060\205\217%0000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\205\217\210fzfLl020000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\066\071\060\060\060"...,
    src=0x7fa742ac7128 "69000000\205\217%0000000000\203 ", '0'
<repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\205\217\210fzfLl020000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\066\071\060\060\060\060\060\060\205\217%0000000000\203
000000"..., l=224,
    s=0x7fa742ad6c93
"\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\205\217\210fzfLl020000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\066\071\060\060\060\060\060\060\205\217%0000000000\203
", '0' <repeats 14 times>, "\203 ", '0' <repeats 16 times>,
"\203\252\060\060\060\060\060\060\203\266\060\060\203\265\060\060\060\060\203\266\203\266\203\255\060\060\060\060\060\060\060\205\217\210fzfLl02"...,
glbsub=0, copied=1) at subst.c:738
#2  0x00000000004bf1ad in paramsubst (l=0x7fff6a5f53b0,
n=0x7fff6a5f5398, str=0x7fff6a5f4d70, qt=0, pf_flags=4,
    ret_flags=0x7fff6a5f534c) at subst.c:4031
#3  0x00000000004b5083 in stringsubst (list=0x7fff6a5f53b0,
node=0x7fff6a5f5398, pf_flags=4, ret_flags=0x7fff6a5f534c, asssub=0)
    at subst.c:247
#4  0x00000000004b4435 in prefork (list=0x7fff6a5f53b0, flags=4,
ret_flags=0x7fff6a5f534c) at subst.c:85
#5  0x00000000004b5abc in singsub (s=0x7fff6a5f5c08) at subst.c:430
#6  0x00000000004bb85b in paramsubst (l=0x7fff6a5f6390,
n=0x7fa742ad6cc8, str=0x7fff6a5f5d40, qt=0, pf_flags=0,
    ret_flags=0x7fff6a5f631c) at subst.c:3011
#7  0x00000000004b5083 in stringsubst (list=0x7fff6a5f6390,
node=0x7fa742ad6cc8, pf_flags=0, ret_flags=0x7fff6a5f631c, asssub=0)
    at subst.c:247
#8  0x00000000004b4435 in prefork (list=0x7fff6a5f6390, flags=0,
ret_flags=0x7fff6a5f631c) at subst.c:85
#9  0x0000000000440df5 in execcmd_getargs (preargs=0x7fa742ad37c8,
args=0x7fa742ad3688, expand=1) at exec.c:2659
#10 0x000000000043c1eb in execcmd_exec (state=0x7fff6a5f8230,
eparams=0x7fff6a5f70f0, input=0, output=0, how=18, last1=2)
    at exec.c:2765
#11 0x000000000043b804 in execpline2 (state=0x7fff6a5f8230, pcode=131,
how=18, input=0, output=0, last1=0) at exec.c:1873
#12 0x0000000000433f6e in execpline (state=0x7fff6a5f8230,
slcode=3074, how=18, last1=0) at exec.c:1602
#13 0x0000000000432dfe in execlist (state=0x7fff6a5f8230,
dont_change_job=0, exiting=0) at exec.c:1360
---Type <return> to continue, or q <return> to quit---
#14 0x000000000043277e in execode (p=0x7fa742ad3528,
dont_change_job=0, exiting=0, context=0x4d9274 "toplevel") at
exec.c:1141
#15 0x000000000045e366 in loop (toplevel=1, justonce=0) at init.c:208
#16 0x0000000000462846 in zsh_main (argc=3, argv=0x7fff6a5f8858) at init.c:1692
#17 0x0000000000411a32 in main (argc=3, argv=0x7fff6a5f8858) at ./main.c:93

[-- Attachment #2: strcatsub --]
[-- Type: application/octet-stream, Size: 233 bytes --]

Re: Zsh parser segmentation fault in strcatsub

[Bart Schaefer]

On Mon, May 15, 2017 at 2:30 PM, Eduardo Bustamante <dualbus@gmail.com> wrote:
>
> Core was generated by `/home/dualbus/src/zsh/zsh/Src/zsh -nv strcatsub'.

I can't reproduce this with any of "zsh -f", "zsh -nf", or "zsh -nvf"
when using the latest checkout from git and the file you attached.
Valgrind reports no problems.

You are not using "-f".  Is it possible that a setting in a startup
file is affecting this?

Re: Zsh parser segmentation fault in strcatsub

[Eduardo Bustamante]

On Mon, May 15, 2017 at 7:48 PM, Bart Schaefer
<schaefer@brasslantern.com> wrote:
[...]
> You are not using "-f".  Is it possible that a setting in a startup
> file is affecting this?

How do you build Zsh?

Here's how I build it (with Clang, or GCC+ASAN).

dualbus@debian:~/src/zsh/zsh$ git rev-parse HEAD
171e7fa4c1d9cbf0d8ff35ee795e1599913aa329

dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CC=clang CFLAGS='-O0
-ggdb' LDFLAGS='' ./configure && make -j4
[...]

dualbus@debian:~/src/zsh/zsh$ md5sum strcatsub
45a3a29522b0bd62d073d791b722ce02  strcatsub

dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf strcatsub
Segmentation fault

dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CFLAGS='-O0 -ggdb
-fsanitize=address -fno-omit-frame-pointer' LDFLAGS=-lasan ./configure
&& make -j4
[...]

dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf strcatsub
=================================================================
==2860==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6290000041f8 at pc 0x56236c85fac3 bp 0x7ffe5ddad580 sp
0x7ffe5ddad578
READ of size 1 at 0x6290000041f8 thread T0
    #0 0x56236c85fac2 in mb_metacharlenconv
/home/dualbus/src/zsh/zsh/Src/utils.c:5370
    #1 0x56236c82ee04 in dopadding /home/dualbus/src/zsh/zsh/Src/subst.c:922
    #2 0x56236c83cdba in paramsubst /home/dualbus/src/zsh/zsh/Src/subst.c:4022
    #3 0x56236c82a954 in stringsubst /home/dualbus/src/zsh/zsh/Src/subst.c:247
    #4 0x56236c829070 in prefork /home/dualbus/src/zsh/zsh/Src/subst.c:85
    #5 0x56236c82bc22 in singsub /home/dualbus/src/zsh/zsh/Src/subst.c:430
    #6 0x56236c8375b9 in paramsubst /home/dualbus/src/zsh/zsh/Src/subst.c:3011
    #7 0x56236c82a954 in stringsubst /home/dualbus/src/zsh/zsh/Src/subst.c:247
    #8 0x56236c829070 in prefork /home/dualbus/src/zsh/zsh/Src/subst.c:85
    #9 0x56236c73114a in execcmd_getargs
/home/dualbus/src/zsh/zsh/Src/exec.c:2659
    #10 0x56236c731b24 in execcmd_exec /home/dualbus/src/zsh/zsh/Src/exec.c:2765
    #11 0x56236c72b753 in execpline2 /home/dualbus/src/zsh/zsh/Src/exec.c:1873
    #12 0x56236c7286bc in execpline /home/dualbus/src/zsh/zsh/Src/exec.c:1602
    #13 0x56236c72699e in execlist /home/dualbus/src/zsh/zsh/Src/exec.c:1360
    #14 0x56236c725117 in execode /home/dualbus/src/zsh/zsh/Src/exec.c:1141
    #15 0x56236c77a9a5 in loop /home/dualbus/src/zsh/zsh/Src/init.c:208
    #16 0x56236c784757 in zsh_main /home/dualbus/src/zsh/zsh/Src/init.c:1692
    #17 0x56236c6dd31f in main main.c:93
    #18 0x7f8561b282b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #19 0x56236c6dd1f9 in _start (/home/dualbus/src/zsh/zsh/Src/zsh+0x421f9)

0x6290000041f8 is located 0 bytes to the right of 16376-byte region
[0x629000000200,0x6290000041f8)
allocated by thread T0 here:
    #0 0x7f85628a1d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x56236c7b4df3 in zalloc /home/dualbus/src/zsh/zsh/Src/mem.c:966
    #2 0x56236c7b2ff9 in zhalloc /home/dualbus/src/zsh/zsh/Src/mem.c:639
    #3 0x56236c82874e in dupstring /home/dualbus/src/zsh/zsh/Src/string.c:39
    #4 0x56236c7a003f in parse_subst_string
/home/dualbus/src/zsh/zsh/Src/lex.c:1710
    #5 0x56236c837436 in paramsubst /home/dualbus/src/zsh/zsh/Src/subst.c:2975
    #6 0x56236c82a954 in stringsubst /home/dualbus/src/zsh/zsh/Src/subst.c:247
    #7 0x56236c829070 in prefork /home/dualbus/src/zsh/zsh/Src/subst.c:85
    #8 0x56236c73114a in execcmd_getargs
/home/dualbus/src/zsh/zsh/Src/exec.c:2659
    #9 0x56236c731b24 in execcmd_exec /home/dualbus/src/zsh/zsh/Src/exec.c:2765
    #10 0x56236c72b753 in execpline2 /home/dualbus/src/zsh/zsh/Src/exec.c:1873
    #11 0x56236c7286bc in execpline /home/dualbus/src/zsh/zsh/Src/exec.c:1602
    #12 0x56236c72699e in execlist /home/dualbus/src/zsh/zsh/Src/exec.c:1360
    #13 0x56236c725117 in execode /home/dualbus/src/zsh/zsh/Src/exec.c:1141
    #14 0x56236c77a9a5 in loop /home/dualbus/src/zsh/zsh/Src/init.c:208
    #15 0x56236c784757 in zsh_main /home/dualbus/src/zsh/zsh/Src/init.c:1692
    #16 0x56236c6dd31f in main main.c:93
    #17 0x7f8561b282b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/dualbus/src/zsh/zsh/Src/utils.c:5370 in mb_metacharlenconv
Shadow bytes around the buggy address:
  0x0c527fff87e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff87f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c527fff8820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c527fff8830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
  0x0c527fff8840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8860: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c527fff8880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2860==ABORTING

It doesn't segfault if I run it under Valgrind.

Re: Zsh parser segmentation fault in strcatsub

[Bart Schaefer]

[-- Attachment #1: Type: text/plain, Size: 764 bytes --]

On Mon, May 15, 2017 at 6:36 PM, Eduardo Bustamante <dualbus@gmail.com>
wrote:
> On Mon, May 15, 2017 at 7:48 PM, Bart Schaefer
> <schaefer@brasslantern.com> wrote:
> [...]
>> You are not using "-f". Is it possible that a setting in a startup
>> file is affecting this?
>
> How do you build Zsh?

However "configure" does by default; I'm not attempting anything special
with CFLAGS.

For the .o files the command is e.g.:
gcc -c -I. -I../Src -I../Src -I../Src/Zle -I. -DHAVE_CONFIG_H -Wall
-Wmissing-prototypes -ggdb -o mem.o mem.c

For the final link:
gcc -g -rdynamic -o zsh main.o `cat stamp-modobjs`
-L/usr/lib/x86_64-linux-gnu -lpcre -ldl -lncursesw -lrt -lm -lc

If I run it without -n, I get something like
strcatsub:1: command not found: 14507000000000000

Re: Zsh parser segmentation fault in strcatsub

[Peter Stephenson]

On Mon, 15 May 2017 17:48:07 -0700
Bart Schaefer <schaefer@brasslantern.com> wrote:
> On Mon, May 15, 2017 at 2:30 PM, Eduardo Bustamante <dualbus@gmail.com> wrote:
> >
> > Core was generated by `/home/dualbus/src/zsh/zsh/Src/zsh -nv strcatsub'.
> 
> I can't reproduce this with any of "zsh -f", "zsh -nf", or "zsh -nvf"
> when using the latest checkout from git and the file you attached.
> Valgrind reports no problems.

It's possible it's a variant of the previous string handling problem in
patterns, (41096 / 4bb81eef) which had murky effects.

pws

Re: Zsh parser segmentation fault in strcatsub

[Daniel Shahaf]

Peter Stephenson wrote on Tue, May 16, 2017 at 09:47:23 +0100:
> On Mon, 15 May 2017 17:48:07 -0700
> Bart Schaefer <schaefer@brasslantern.com> wrote:
> > On Mon, May 15, 2017 at 2:30 PM, Eduardo Bustamante <dualbus@gmail.com> wrote:
> > >
> > > Core was generated by `/home/dualbus/src/zsh/zsh/Src/zsh -nv strcatsub'.
> > 
> > I can't reproduce this with any of "zsh -f", "zsh -nf", or "zsh -nvf"
> > when using the latest checkout from git and the file you attached.
> > Valgrind reports no problems.
> 
> It's possible it's a variant of the previous string handling problem in
> patterns, (41096 / 4bb81eef) which had murky effects.

Building a tree newer than that revision (171e7fa4c1d9 + some local
patches that don't go anywhere near the parser), I get:

[[[
% /path/to/installed/zsh -fnv strcatsub
$$0000${(e0z)^Y-000${(z)^Y-00>



{000000}0}0
00}${%0000000000000000000000000000000000000000�000000�00�0000���0000000${(fzfLl0200oNN�?>&9������//��?0B0mpr0200%����O�)3oN0iO0)c000%000000000000}�0�000000�00��0000000000000�00�}00%                                                                     
]]]

where the final % is in reverse video, but stays there even with -o nopromptsp.

If I remove the -f, it outputs the same junk, but preceded by the
entirety of my .zshenv.  All that goes to stderr.

My configure line:

    ./configure --enable-zsh-debug --with-term-lib=ncursesw --prefix=$HOME/prefix/zsh
    perl -pi -e 's/link=dynamic/link=static/g; if (/link=static/) { s/auto=yes/auto=no/ }' config.modules

Re: Zsh parser segmentation fault in strcatsub

[Bart Schaefer]

On May 15,  8:36pm, Eduardo Bustamante wrote:
}
} dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf strcatsub
} =================================================================
} ==2860==ERROR: AddressSanitizer: heap-buffer-overflow on address
} 0x6290000041f8 at pc 0x56236c85fac3 bp 0x7ffe5ddad580 sp
} 0x7ffe5ddad578
} READ of size 1 at 0x6290000041f8 thread T0
}     #0 0x56236c85fac2 in mb_metacharlenconv
} /home/dualbus/src/zsh/zsh/Src/utils.c:5370
}     #1 0x56236c82ee04 in dopadding /home/dualbus/src/zsh/zsh/Src/subst.c:922

So this is
	cl = MB_METACHARLENCONV(t, &cchar);
and at least from my sources the reported error is on
	STOUC(*s)
that is, on the dereference of the pointer "t" from dopadding.

Could this be an architecture endian-ness issue while trying to interpret
bytes as belonging to a multibyte character?

Can you repeat the crash with multibyte support disabled in the compile?

I don't have clang readily available to try that compiler.

Re: Zsh parser segmentation fault in strcatsub

[Eduardo Bustamante]

On Wed, May 17, 2017 at 1:37 PM, Bart Schaefer
<schaefer@brasslantern.com> wrote:
[...]
>
> Can you repeat the crash with multibyte support disabled in the compile?

I can't get it to crash with multibyte support disabled. Also, it
seems that the --enable-zsh-debug makes the crash go away (although I
suspect that just may be because the payload doesn't overflow the
heap).

dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CC=gcc-6 CFLAGS='-O0
-ggdb' ./configure --enable-zsh-debug --disable-multibyte && make -j4
[...]
dualbus@debian:~/src/zsh/zsh$ md5sum /tmp/strcatsub
45a3a29522b0bd62d073d791b722ce02  /tmp/strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf /tmp/strcatsub

dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CC=gcc-6 CFLAGS='-O0
-ggdb' ./configure --enable-zsh-debug --enable-multibyte && make -j4
[...]
dualbus@debian:~/src/zsh/zsh$ md5sum /tmp/strcatsub
45a3a29522b0bd62d073d791b722ce02  /tmp/strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf /tmp/strcatsub

dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CC=clang-3.9
CFLAGS='-O0 -ggdb' ./configure --enable-zsh-debug --disable-multibyte
&& make -j4
[...]
dualbus@debian:~/src/zsh/zsh$ md5sum /tmp/strcatsub
45a3a29522b0bd62d073d791b722ce02  /tmp/strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf /tmp/strcatsub

dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CC=clang-3.9
CFLAGS='-O0 -ggdb' ./configure --enable-zsh-debug --enable-multibyte
&& make -j4
[...]
dualbus@debian:~/src/zsh/zsh$ md5sum /tmp/strcatsub
45a3a29522b0bd62d073d791b722ce02  /tmp/strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf /tmp/strcatsub

dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CC=clang-3.9
CFLAGS='-O0 -ggdb' LDFLAGS='' ./configure  --enable-multibyte && make
-j4
[...]
dualbus@debian:~/src/zsh/zsh$ md5sum /tmp/strcatsub
45a3a29522b0bd62d073d791b722ce02  /tmp/strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf /tmp/strcatsub
Segmentation fault

dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CC=clang-3.9
CFLAGS='-O0 -ggdb' LDFLAGS='' ./configure  --disable-multibyte && make
-j4
[...]
dualbus@debian:~/src/zsh/zsh$ md5sum /tmp/strcatsub
45a3a29522b0bd62d073d791b722ce02  /tmp/strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf /tmp/strcatsub

dualbus@debian:~/src/zsh/zsh$ ./Util/preconfig && CC=gcc-6 CFLAGS='-O0
-ggdb' LDFLAGS='' ./configure  --enable-multibyte && make -j4
[...]
dualbus@debian:~/src/zsh/zsh$ md5sum /tmp/strcatsub
45a3a29522b0bd62d073d791b722ce02  /tmp/strcatsub
dualbus@debian:~/src/zsh/zsh$ ./Src/zsh -nf /tmp/strcatsub
Segmentation fault


The reason I build it with CFLAGS='-O0 -ggdb' LDFLAGS='' is that the
Makefile kept stripping symbols from the binary, so I hacked around it
by passing an empty LDFLAGS, but now I realize that --enable-zsh-debug
is what I was looking for.