[BUG] Misplaced quote in %d printf format crashes Zsh

[BUG] Misplaced quote in %d printf format crashes Zsh

[Philippe Altherr]

[-- Attachment #1: Type: text/plain, Size: 788 bytes --]

On macOS 14.5 running Zsh 5.9, the following command crashes Zsh:

% zsh -c "printf -v result \" %5'd\""

zsh:printf:1: %5': invalid directive

zsh(41890,0x7ff8450ddfc0) malloc: *** error for object 0x600002c811e0:
pointer being realloc'd was not allocated

zsh(41890,0x7ff8450ddfc0) malloc: *** set a breakpoint in
malloc_error_break to debug

zsh: abort      zsh -c "printf -v result \" %5'd\""

Surprisingly, dropping the -v option, removing the space before the %, or
adding an echo command after the printf command avoid the crash:

% zsh -c "printf \" %5'd\""

zsh:printf:1: %5': invalid directive

 *%*

% zsh -c "printf -v result \"%5'd\""

zsh:printf:1: %5': invalid directive

% zsh -c "printf -v result \" %5'd\"; echo foo"

zsh:printf:1: %5': invalid directive

foo

Philippe

[-- Attachment #2: Type: text/html, Size: 6379 bytes --]

Re: [BUG] Misplaced quote in %d printf format crashes Zsh

[Mark J. Reed]

[-- Attachment #1: Type: text/plain, Size: 1241 bytes --]

I'm away from my Mac at the moment, but FWIW, the crash does not appear to
happen on Windows (MSYS64):

*(0)> printf -v result " %5'd"*
*printf: %5': invalid directive*
*(1)> $0 --version*
*zsh 5.9 (x86_64-pc-msys)*


On Sat, Jun 8, 2024 at 5:13 PM Philippe Altherr <philippe.altherr@gmail.com>
wrote:

> On macOS 14.5 running Zsh 5.9, the following command crashes Zsh:
>
> % zsh -c "printf -v result \" %5'd\""
>
> zsh:printf:1: %5': invalid directive
>
> zsh(41890,0x7ff8450ddfc0) malloc: *** error for object 0x600002c811e0:
> pointer being realloc'd was not allocated
>
> zsh(41890,0x7ff8450ddfc0) malloc: *** set a breakpoint in
> malloc_error_break to debug
>
> zsh: abort      zsh -c "printf -v result \" %5'd\""
>
> Surprisingly, dropping the -v option, removing the space before the %, or
> adding an echo command after the printf command avoid the crash:
>
> % zsh -c "printf \" %5'd\""
>
> zsh:printf:1: %5': invalid directive
>
>  *%*
>
> % zsh -c "printf -v result \"%5'd\""
>
> zsh:printf:1: %5': invalid directive
>
> % zsh -c "printf -v result \" %5'd\"; echo foo"
>
> zsh:printf:1: %5': invalid directive
>
> foo
>
> Philippe
>
>

-- 
Mark J. Reed <markjreed@gmail.com>

[-- Attachment #2: Type: text/html, Size: 6944 bytes --]

Re: [BUG] Misplaced quote in %d printf format crashes Zsh

[Mark J. Reed]

[-- Attachment #1: Type: text/plain, Size: 1782 bytes --]

Duplicated on my Macs; /bin/zsh (5.9) exhibits the crash on both x86_64 and
ARM (M2).

My locally-built 5.9.0.1-dev does not exhibit the symptom. To see if it was
a build thing or the result of a code change, I checked out the zsh-5.9 tag
and built that... and it also did not crash. So it seems to be something
about Apple's build environment.

On Sat, Jun 8, 2024 at 7:04 PM Mark J. Reed <markjreed@gmail.com> wrote:

> I'm away from my Mac at the moment, but FWIW, the crash does not appear to
> happen on Windows (MSYS64):
>
> *(0)> printf -v result " %5'd"*
> *printf: %5': invalid directive*
> *(1)> $0 --version*
> *zsh 5.9 (x86_64-pc-msys)*
>
>
> On Sat, Jun 8, 2024 at 5:13 PM Philippe Altherr <
> philippe.altherr@gmail.com> wrote:
>
>> On macOS 14.5 running Zsh 5.9, the following command crashes Zsh:
>>
>> % zsh -c "printf -v result \" %5'd\""
>>
>> zsh:printf:1: %5': invalid directive
>>
>> zsh(41890,0x7ff8450ddfc0) malloc: *** error for object 0x600002c811e0:
>> pointer being realloc'd was not allocated
>>
>> zsh(41890,0x7ff8450ddfc0) malloc: *** set a breakpoint in
>> malloc_error_break to debug
>>
>> zsh: abort      zsh -c "printf -v result \" %5'd\""
>>
>> Surprisingly, dropping the -v option, removing the space before the %,
>> or adding an echo command after the printf command avoid the crash:
>>
>> % zsh -c "printf \" %5'd\""
>>
>> zsh:printf:1: %5': invalid directive
>>
>>  *%*
>>
>> % zsh -c "printf -v result \"%5'd\""
>>
>> zsh:printf:1: %5': invalid directive
>>
>> % zsh -c "printf -v result \" %5'd\"; echo foo"
>>
>> zsh:printf:1: %5': invalid directive
>>
>> foo
>>
>> Philippe
>>
>>
>
> --
> Mark J. Reed <markjreed@gmail.com>
>


-- 
Mark J. Reed <markjreed@gmail.com>

[-- Attachment #2: Type: text/html, Size: 7925 bytes --]

Re: [BUG] Misplaced quote in %d printf format crashes Zsh

[Jun T]

> 2024/06/09 9:23, Mark J. Reed <markjreed@gmail.com> wrote:
> 
> Duplicated on my Macs; /bin/zsh (5.9) exhibits the crash on both x86_64 and ARM (M2). 
> 
> My locally-built 5.9.0.1-dev does not exhibit the symptom. To see if it was a build thing or the result of a code change, I checked out the zsh-5.9 tag and built that... and it also did not crash. So it seems to be something about Apple's build environment.

Which version of macOS are you using?
I tested on Ventura (13.6.3) and got the same crash with my local build
of both zsh-5.9 and the current git HEAD.

Valgrind (on Linux) tells me that the memory allocated at line 4877 in
builtin.c is lost:
        ASSIGN_MSTREAM(buf,fout);

free(buf) _is_ called at line 5863, but it seems we need fclose(fout)
before freeing the memory. But the macro CLOSE_CLEANLY(fout) does not close
fout since CLOSE_FOUT() does nothing if HAVE_OPEN_MEMSTREAM is defined.

As the comment /* Why do we care about a clean close here? */ suggests,
I guess we can simply close fout if it is not stdout, just like lines
5228, 5265, 5299.



diff --git a/Src/builtin.c b/Src/builtin.c
index 7bfb1ce1d..cd0ee7522 100644
--- a/Src/builtin.c
+++ b/Src/builtin.c
@@ -5455,9 +5455,8 @@ bin_print(char *name, char **args, Options ops, int func)
 		}
 		zwarnnam(name, "%s: invalid directive", start);
 		if (*c) c[1] = save;
-		/* Why do we care about a clean close here? */
-		if (!CLOSE_CLEANLY(fout))
-		    zwarnnam(name, "write error: %e", errno);
+		if (fout != stdout)
+		    fclose(fout);
 #ifdef HAVE_OPEN_MEMSTREAM
 		if (buf)
 		    free(buf);

--
Jun