Re: [BUG] Zsh crashes when using autocomplete because of memory unsafety (double free)

[Bart Schaefer <schaefer@brasslantern.com>]

[-- Attachment #1: Type: text/plain, Size: 3025 bytes --]

On Sun, Jun 28, 2020 at 12:09 AM Bart Schaefer <schaefer@brasslantern.com>
wrote:

>
> % autoload compinit
> % compinit -D
> % setopt completeinword
> % alias a='"<left><TAB>
>
> I think it has to do with
> compset -P 1 '*='
> compset -q
>
> So, what's happening is that a=' turns into a=\"
>

Just to clarify, you can actually watch this happening in gdb if you set a
watchpoint on "offs" and step through a few instructions.

toltec-ubuntu% alias a='"
Hardware watchpoint 1: offs

Old value = 3
New value = 2
get_comp_string () at zle_tricky.c:1883
1883    if (*p == Snull && isset(RCQUOTES))
(gdb) p p
$24 = 0x865592 "\235\""
(gdb) p zlemetaline
$25 = 0x8b7a40 "alias a='\""
(gdb) n
1885    if (p[1] || *p != Bnull) {
(gdb) n
1886 if (*p == Bnull) {
(gdb)
1890    ocs = zlemetacs;
(gdb)
1891    zlemetacs = i;
(gdb) p ocs
$26 = 9
(gdb) n
1892    foredel(skipchars, CUT_RAW);
(gdb) n
1893    if ((zlemetacs = ocs) > --i) {
(gdb) p skipchars
$27 = 1
(gdb) p zlemetaline
$28 = 0x8b7a40 "alias a=\""
(gdb) where 2
#0  get_comp_string () at zle_tricky.c:1893
#1  0x0000000000545b5c in docomplete (lst=4) at zle_tricky.c:664


> and consequently increases the offset by one, but then
>

I think this diagnosis is wrong -- it's not that the offset is increased,
it's that zlemetaline is shortened (by removal of the single quote).

The end result is the same, though -- the start of the word is calculated
by subtracting the offset from the current position, and the resulting
index is off the left end.

Having gotten that far, though, I don't know how to fix it.
>

The following may do it?  Completion tests still pass.  Without the change:

% autoload compinit zed
% compinit -D
% zstyle \* format %d
% alias a='<TAB>
% alias a=

With this change the vanishing quote mark no longer vanishes and a
description appears:

% autoload compinit zed
% compinit -D
% zstyle \* format %d
% alias a='<TAB>
`alias definition', `regular alias', `global alias', or `suffix alias'
alias definition
% alias a='

And the crash no longer happens when something appears after the single
quote.

I note that offs gets changed in the loop in an outer "else"-branch when
foredel/backdel are not called, too.  However, I'm not certain that the
edit should appear in BOTH hunks below.  Can anyone find any other test
cases that pass through this code?

diff --git a/Src/Zle/zle_tricky.c b/Src/Zle/zle_tricky.c
index fdd1687..2c24a13 100644
--- a/Src/Zle/zle_tricky.c
+++ b/Src/Zle/zle_tricky.c
@@ -1897,6 +1897,7 @@ get_comp_string(void)
                            zlemetacs = wb;
                    }
                    we -= skipchars;
+                   offs -= skipchars;
                }
            } else {
                ocs = zlemetacs;
@@ -1910,6 +1911,7 @@ get_comp_string(void)
                if (wb > zlemetacs)
                    zlemetacs = wb;
                we -= skipchars;
+               offs -= skipchars;
            }
            /* we need to get rid of all the quotation bits... */
            while (skipchars--)