This is a patch for the bug #1 reported in workers/45843: > 2020/05/19 15:48, Aaron Esau <arinerron@protonmail.com> wrote: > > ------ #1 :: null dereference in check_colon_subscript in subst.c ------ (snip) > > "${: :${{{\"{{i use arch btw}}" We get coredump if the length part of ${name:offset:length} is seriously broken; name and offset parts can be "normal". For example "${foo:0:${\"}}" gives coredump at line 3367 in subst.c: 3365: check_offset = check_colon_subscript(check_offset2 + 1, 3366: &check_offset2); 3367: if (*check_offset2 && *check_offset2 != ':') { When check_colon_subscript() returns NULL, check_offset2 is (not always but usually) reset to NULL (line 1576). With the patch below, "${foo:0:${\"}}" gives an error unrecognized modifier `$' diff --git a/Src/subst.c b/Src/subst.c index 87a56c3c6..465fe970f 100644 --- a/Src/subst.c +++ b/Src/subst.c @@ -3362,13 +3362,15 @@ colonsubscript: return NULL; } if (*check_offset2) { + char *nextp; check_offset = check_colon_subscript(check_offset2 + 1, - &check_offset2); - if (*check_offset2 && *check_offset2 != ':') { - zerr("invalid length: %s", check_offset); - return NULL; - } + &nextp); if (check_offset) { + check_offset2 = nextp; + if (*check_offset2 && *check_offset2 != ':') { + zerr("invalid length: %s", check_offset); + return NULL; + } length = mathevali(check_offset); length_set = 1; if (errflag) diff --git a/Test/D04parameter.ztst b/Test/D04parameter.ztst index 05bb61bdc..b6b1f2e33 100644 --- a/Test/D04parameter.ztst +++ b/Test/D04parameter.ztst @@ -2664,10 +2664,9 @@ F:behavior, see http://austingroupbugs.net/view.php?id=888 >3: pw >4: pw - # Using a subshell because it segfaults. - ("${: :${{{\"{{lorem ipsum dolor sit amet}}") --f:regression test for workers/45843#1 -?(eval):1: bad substitution + : "${foo:0:${\"}}" +1:broken length in ${name:offset:length} (workers/45843#1) +?(eval):1: unrecognized modifier `$' $ZTST_testdir/../Src/zsh -fc $'$\\\n(' 1:regression test for workers/45843#2: escaped newline in command substitution start token