From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 11088 invoked from network); 15 Jul 2021 15:06:40 -0000 Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368) by inbox.vuxu.org with ESMTPUTF8; 15 Jul 2021 15:06:40 -0000 ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20200801; t=1626361600; b=l4GClCnAp1oujfXtoeKd11aWqvEneGycBxkaVzPdCrJ4fABYkPfkGGTbmrcnL4pI+ErJ9w3ELt /ADkmlcfRVqg8quZ8Zbh4CA2ouqsQznQ2SMU+I3+jfOxXf9lvbyHbadwdAQ9rGmdBdEglQVTeI sisrZ8IH+nXEfqMN0K044d4ldmIWl+sVdejTSbIzhDGsLgpe2VSb+CxtbEFZBwNEvqk4bDh+KH DOYa81XT6Qo/OFC20dtFxKpxGU3KVefNeww/66Lc0G8i7pGBx9ndZeAj061NU5geSV24XP1wVT m3zbVg67IwovkWpYGjyr3r/iAhFkOmPfSasC/FXh6AnwUg==; ARC-Authentication-Results: i=1; zsh.org; iprev=pass (snd01013-bg.im.kddi.ne.jp) smtp.remote-ip=27.86.113.29; dmarc=none header.from=kba.biglobe.ne.jp; arc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20200801; t=1626361600; bh=144XQW/2rd2lzKfoJtz0duyfBfEqf5ubOGcHumNlb7w=; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help: List-Id:Sender:To:Date:Message-ID:Subject:MIME-Version: Content-Transfer-Encoding:Content-Type:From:DKIM-Signature; b=z/lZ67UnD2kegMaLnAgfStVbQJeNlNN9AVODtkE/v2VQejGiGjd2SJKPFkCUStYu8EEARt+gQJ uZEBQUDapn4UPvBvhzfLxneCXXRGp4Owkm7oFbh8O2dZtRE7eUN/8R+xXOQNBDGjeBkXXfC4OM pUSoSIf/tKnA6tIsbNiDy6HC/UTgTkiryx2pceGThpsuAr8wtbstuqsDCbj4x22GTyeiGS6eku aM8qdJqJW2sk/T7jmRjR1UmTAU8TqceLXDdd57KA3pMXeRhkonlkmSbOE8AErp+APaRUNeEsYu 2KUrFhL07M40XLl4f1V1P1uZs4n9dc6rK6wAbVooHoVfGg==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org; s=rsa-20200801; h=List-Archive:List-Owner:List-Post:List-Unsubscribe: List-Subscribe:List-Help:List-Id:Sender:To:Date:Message-Id:Subject: Mime-Version:Content-Transfer-Encoding:Content-Type:From:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References; bh=XW7UGAv5bV6N0gi0Yvqk/ULTG8YdVauoBMRN/V3BFEQ=; b=0YRqUreiGhnkho/7Nxxi/Eu4X0 DPszu0UD6FhtJUZSyRuW3jQba9vk/eY90kIcPxsodXrTXgkBiabj+5EFfotp9sRUnBQDPA4VdAJy7 9/VjXzAiu08tsPS1Ez2JCrRelUpm4iH/+c94rOlJ9Sn1SGTIXvNIwtFGVJ90kSqVe8LXL8mTHNi9E TmgOr/BNBjXi85PeQkjF2BGfGUYjsFiJEiqzmz/PpBMOGiA1h9/ByxKPe8LjYaFVX8J49oVrWahlF e0pFLSrCQzq2jcQjhXW/Gvkok3j1Gjwaly0zhPgZJjLD855PwYw3L4H9VCa8l0z7FH00y849OIupG knEMS5SA==; Received: from authenticated user by zero.zsh.org with local id 1m42wg-000K7H-L3; Thu, 15 Jul 2021 15:06:38 +0000 Authentication-Results: zsh.org; iprev=pass (snd01013-bg.im.kddi.ne.jp) smtp.remote-ip=27.86.113.29; dmarc=none header.from=kba.biglobe.ne.jp; arc=none Received: from snd01013-bg.im.kddi.ne.jp ([27.86.113.29]:15776 helo=dfmta1003.biglobe.ne.jp) by zero.zsh.org with esmtp id 1m42wK-000Jpl-FY; Thu, 15 Jul 2021 15:06:18 +0000 Received: from mail.biglobe.ne.jp by omta1003.biglobe.ne.jp with ESMTP id <20210715150610613.OOAF.14840.mail.biglobe.ne.jp@biglobe.ne.jp> for ; Fri, 16 Jul 2021 00:06:10 +0900 From: "Jun. T" Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.20\)) Subject: [PATCH] fix coredump when length in ${name:off:length} is broken Message-Id: <529528DB-F08E-4201-828A-22825451B65C@kba.biglobe.ne.jp> Date: Fri, 16 Jul 2021 00:06:09 +0900 To: zsh-workers@zsh.org X-Mailer: Apple Mail (2.3445.104.20) X-Biglobe-Sender: takimoto-j@kba.biglobe.ne.jp X-Seq: 49166 Archived-At: X-Loop: zsh-workers@zsh.org Errors-To: zsh-workers-owner@zsh.org Precedence: list Precedence: bulk Sender: zsh-workers-request@zsh.org X-no-archive: yes List-Id: List-Help: List-Subscribe: List-Unsubscribe: List-Post: List-Owner: List-Archive: This is a patch for the bug #1 reported in workers/45843=E2=81=A9: > 2020/05/19 15:48, Aaron Esau wrote: >=20 > ------ #1 :: null dereference in check_colon_subscript in subst.c = ------ (snip) >=20 > "${: :${{{\"{{i use arch btw}}" We get coredump if the length part of ${name:offset:length} is seriously broken; name and offset parts can be "normal". For example "${foo:0:${\"}}" gives coredump at line 3367 in subst.c: 3365: check_offset =3D check_colon_subscript(check_offset2 + 1, 3366: &check_offset2); 3367: if (*check_offset2 && *check_offset2 !=3D ':') { When check_colon_subscript() returns NULL, check_offset2 is (not always but usually) reset to NULL (line 1576). With the patch below, "${foo:0:${\"}}" gives an error unrecognized modifier `$' diff --git a/Src/subst.c b/Src/subst.c index 87a56c3c6..465fe970f 100644 --- a/Src/subst.c +++ b/Src/subst.c @@ -3362,13 +3362,15 @@ colonsubscript: return NULL; } if (*check_offset2) { + char *nextp; check_offset =3D check_colon_subscript(check_offset2 = + 1, - = &check_offset2); - if (*check_offset2 && *check_offset2 !=3D ':') { - zerr("invalid length: %s", check_offset); - return NULL; - } + &nextp); if (check_offset) { + check_offset2 =3D nextp; + if (*check_offset2 && *check_offset2 !=3D ':') { + zerr("invalid length: %s", check_offset); + return NULL; + } length =3D mathevali(check_offset); length_set =3D 1; if (errflag) diff --git a/Test/D04parameter.ztst b/Test/D04parameter.ztst index 05bb61bdc..b6b1f2e33 100644 --- a/Test/D04parameter.ztst +++ b/Test/D04parameter.ztst @@ -2664,10 +2664,9 @@ F:behavior, see = http://austingroupbugs.net/view.php?id=3D888 >3: pw >4: pw =20 - # Using a subshell because it segfaults. - ("${: :${{{\"{{lorem ipsum dolor sit amet}}") --f:regression test for workers/45843#1 -?(eval):1: bad substitution + : "${foo:0:${\"}}" +1:broken length in ${name:offset:length} (workers/45843#1) +?(eval):1: unrecognized modifier `$' =20 $ZTST_testdir/../Src/zsh -fc $'$\\\n(' 1:regression test for workers/45843#2: escaped newline in command = substitution start token