From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 1648 invoked by alias); 21 Apr 2017 18:36:19 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 40994 Received: (qmail 11128 invoked from network); 21 Apr 2017 18:36:19 -0000 X-Qmail-Scanner-Diagnostics: from rcpt-mqugw.biglobe.ne.jp by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.99.2/21882. spamassassin: 3.4.1. Clear:RC:0(133.208.100.3):SA:0(-0.7/5.0):. Processed in 0.585654 secs); 21 Apr 2017 18:36:19 -0000 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW, RP_MATCHES_RCVD,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.1 X-Envelope-From: takimoto-j@kba.biglobe.ne.jp X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at spf01.biglobe.ne.jp designates 133.208.100.3 as permitted sender) X-Biglobe-Sender: From: "Jun T." Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: [PATCH] fix unmeta_one() (double counting Meta) Message-Id: <8C69FFF6-75BB-48F0-8603-B18B3AB9C52C@kba.biglobe.ne.jp> Date: Sat, 22 Apr 2017 02:44:18 +0900 To: zsh-workers@zsh.org Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) X-Mailer: Apple Mail (2.1878.6) X-Biglobe-Spnum: 64498 unmeta_one() (in utils.c) seems to have a simple problem. It calls mb_metacharlenconv_r(), whose return value already includes the number of extra bytes for Meta. So taking account of them at lines 4814-4819 makes the value of '*sz' too large. This leads to the following segfalut: % zsh -f % autoload -Uz compinit; compinit % zstyle ':completion:*' matcher-list 'm:{a-z}=3D{A-Z}' You may use any matcher you like. Then % ls =E3=81=84 # =E3=81=84 =3D U+3044, UTF-8: e3 81 84 hitting tab one or two times and the zsh crashes. The segfalut is in cfp_matcher_pats(), at computil.c:4488; the pointer mp has an invalid value. When unmeta_one(tmp, &cl) is called at line 4496, tmp =3D add =3D metafy(=E3=81=84) =3D 0xe3 0x81 0x83 0xa4. But unmeta_one(tmp, &cl) sets cl to 5, not 4, and the variable tl becomes negative. Thus the loop doesn't terminate until it crashes. diff --git a/Src/utils.c b/Src/utils.c index 9701ea7..ea4b34b 100644 --- a/Src/utils.c +++ b/Src/utils.c @@ -4797,7 +4797,6 @@ unmeta_one(const char *in, int *sz) convchar_t wc; int newsz; #ifdef MULTIBYTE_SUPPORT - int ulen; mbstate_t wstate; #endif =20 @@ -4810,13 +4809,7 @@ unmeta_one(const char *in, int *sz) =20 #ifdef MULTIBYTE_SUPPORT memset(&wstate, 0, sizeof(wstate)); - ulen =3D mb_metacharlenconv_r(in, &wc, &wstate); - while (ulen-- > 0) { - if (in[*sz] =3D=3D Meta) - *sz +=3D 2; - else - *sz +=3D 1; - } + *sz =3D mb_metacharlenconv_r(in, &wc, &wstate); #else if (in[0] =3D=3D Meta) { *sz =3D 2;