PATCH: menu-selection null deref if initial selection not in display

PATCH: menu-selection null deref if initial selection not in display

[Oliver Kiddle]

When menu select starts, if the initially selected match would require a
scrolled display, it seg faults.

mline is used to identify the line in the display on which the current
selection is but it is initialised to 0 and doesn't get set correctly
if it should actually start out as something other than 0. Steps to
reproduce this are as follows.

  autoload -U compinit;compinit
  zstyle ':completion*:default' menu select
  zmodload zsh/complist
  _segf() {
      local m disp
      m=( {01..$LINES}:description )
      zformat -a disp " -- " $m

      compstate[insert]="menu:-1"
      compadd -ld disp -a m
  }
  compdef _segf segf
  segf <tab>

The patch below allows the code to go back to the beginning of the main
for loop in domenucomplete. mtab_been_reallocated has been set and so
mline will be calculated.

You can create a similar situation by reducing the size of the terminal
window until the selection is obscured. That only results in a messed
up display but would be trickier to fix because the code path in that
case goes straight from zrefresh() to complistmatches(). If I resize the
window a lot with menu-selectiona active, I can fairly reliably get it
to crash after not too long.

Oliver

diff --git a/Src/Zle/complist.c b/Src/Zle/complist.c
index aae6504..f37a432 100644
--- a/Src/Zle/complist.c
+++ b/Src/Zle/complist.c
@@ -2071,6 +2071,7 @@ complistmatches(UNUSED(Hookdef dummy), Chdata dat)
 	memset(mgtab, 0, i * sizeof(Cmgroup));
 	mlastcols = mcols = zterm_columns;
 	mlastlines = mlines = listdat.nlines;
+	mmtabp = 0;
     }
     last_cap = (char *) zhalloc(max_caplen + 1);
     *last_cap = '\0';
@@ -2562,6 +2563,8 @@ domenuselect(Hookdef dummy, Chdata dat)
 	}
 	p = mmtabp;
 	pg = mgtabp;
+	if (!p) /* selected match not in display, find line */
+	    continue;
 	minfo.cur = *p;
 	minfo.group = *pg;
 	if (setwish)