From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-35851-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 26074 invoked by alias); 22 Jul 2015 11:45:13 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 35851
Received: (qmail 23728 invoked from network); 22 Jul 2015 11:45:11 -0000
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS autolearn=ham
	autolearn_force=no version=3.4.0
From: Kamil Dudka <kdudka@redhat.com>
To: zsh-workers@zsh.org
Subject: infinite recursion in ihungetc()
Date: Wed, 22 Jul 2015 13:45:06 +0200
Message-ID: <2874073.clZcYqQZLr@kdudka.brq.redhat.com>
User-Agent: KMail/4.14.9 (Linux/4.0.8-304.fc22.x86_64; KDE/4.14.9; x86_64; ; )
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24

Fedora Analysis Framework captured 10 crashes of zsh-5.0.8 due to infinite 
recursion in ihungetc():

https://retrace.fedoraproject.org/faf/reports/717794/

The infinite recursion happens at this line:

http://repo.or.cz/w/zsh/mirror.git/blob/a0862f63:/Src/hist.c#l908

The 'hungetc' code pointer is obviously set to ihungetc() itself.  We do
not have full bakctrace of the crash but shouldn't there be any condition
to actually stop the recursion when the conditions at lines 906-907 are
true and hungetc points at ihungetc()?

There is no single command that could invalidate any of the conditions
after nesting deeper into the recursion...

Kamil