From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 26769 invoked from network); 28 Jun 2020 19:28:29 -0000 Received: from ns1.primenet.com.au (HELO primenet.com.au) (203.24.36.2) by inbox.vuxu.org with ESMTPUTF8; 28 Jun 2020 19:28:29 -0000 Received: (qmail 3208 invoked by alias); 28 Jun 2020 19:28:19 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: Sender: zsh-workers@zsh.org X-Seq: 46163 Received: (qmail 18221 invoked by uid 1010); 28 Jun 2020 19:28:19 -0000 X-Qmail-Scanner-Diagnostics: from mail-oi1-f172.google.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.102.3/25857. spamassassin: 3.4.4. Clear:RC:0(209.85.167.172):SA:0(-1.9/5.0):. Processed in 3.135877 secs); 28 Jun 2020 19:28:19 -0000 X-Envelope-From: schaefer@brasslantern.com X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.167.172 as permitted sender) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=GVqvZEDXSF/fDkqkyDu4ciRL9QdKGHpKn+qQhI7JgDM=; b=P3YhRrSanlGBqdVhPC+907cJvgywpfhcnzLaeIP/bdIsIE+WLRyPZ/ZbAAIMFbOTiy GFLNg9BlNesQElRqJhyPkzIU3WRw1BwN8ncx/nnQRJMIQfZ4OnUQ+cze/gI/sxc2RdRG x2wiDs07NAfo7aw2n9WcLAGoGqM75K92WvQu8jxACyyI6/O8ZPfh3Z8j5FbL769oFlBI ZnXgJT1ClOdf1RN4oZ01h9hPhsgF9Jnj+RcTw+Wl85wtGvxaOZlcXuPwZZQxBFvvkwRu uqxv4x85SNau5pRVj8ZkzuBADCyLf+kmKj5i3na8VwM4TmJwHIJbkjju45sFZJOXriWp oozA== X-Gm-Message-State: AOAM531MctbaDTFtsvTcLBdXJtstO8swPFQjxhjwRkQy0PAL+GMupCYz 7Pnonu/UbvBRCKbF5akGFzno790REE1w5mLwceUYTWC3Pr8= X-Google-Smtp-Source: ABdhPJwXNhHPRVmp6kSS6IvHoobWaKut7DV1wRUM/Wjb+lQ9XCzo/z84g5iMIOhv6muIYvr/vFUkdFhcTyzXIY3Wr9c= X-Received: by 2002:aca:4186:: with SMTP id o128mr927560oia.173.1593372460901; Sun, 28 Jun 2020 12:27:40 -0700 (PDT) MIME-Version: 1.0 References: <00cb28e8-004e-2c8c-e02d-6063f4079c1d@soptik.tech> <20200626162405.4a7d28c1@tarpaulin.shahaf.local2> In-Reply-To: From: Bart Schaefer Date: Sun, 28 Jun 2020 12:27:29 -0700 Message-ID: Subject: Re: [BUG] Zsh crashes when using autocomplete because of memory unsafety (double free) To: "zsh-workers@zsh.org" Content-Type: multipart/alternative; boundary="00000000000086f48605a929ef26" --00000000000086f48605a929ef26 Content-Type: text/plain; charset="UTF-8" On Sun, Jun 28, 2020 at 12:09 AM Bart Schaefer wrote: > > % autoload compinit > % compinit -D > % setopt completeinword > % alias a='" > > I think it has to do with > compset -P 1 '*=' > compset -q > > So, what's happening is that a=' turns into a=\" > Just to clarify, you can actually watch this happening in gdb if you set a watchpoint on "offs" and step through a few instructions. toltec-ubuntu% alias a='" Hardware watchpoint 1: offs Old value = 3 New value = 2 get_comp_string () at zle_tricky.c:1883 1883 if (*p == Snull && isset(RCQUOTES)) (gdb) p p $24 = 0x865592 "\235\"" (gdb) p zlemetaline $25 = 0x8b7a40 "alias a='\"" (gdb) n 1885 if (p[1] || *p != Bnull) { (gdb) n 1886 if (*p == Bnull) { (gdb) 1890 ocs = zlemetacs; (gdb) 1891 zlemetacs = i; (gdb) p ocs $26 = 9 (gdb) n 1892 foredel(skipchars, CUT_RAW); (gdb) n 1893 if ((zlemetacs = ocs) > --i) { (gdb) p skipchars $27 = 1 (gdb) p zlemetaline $28 = 0x8b7a40 "alias a=\"" (gdb) where 2 #0 get_comp_string () at zle_tricky.c:1893 #1 0x0000000000545b5c in docomplete (lst=4) at zle_tricky.c:664 > and consequently increases the offset by one, but then > I think this diagnosis is wrong -- it's not that the offset is increased, it's that zlemetaline is shortened (by removal of the single quote). The end result is the same, though -- the start of the word is calculated by subtracting the offset from the current position, and the resulting index is off the left end. Having gotten that far, though, I don't know how to fix it. > The following may do it? Completion tests still pass. Without the change: % autoload compinit zed % compinit -D % zstyle \* format %d % alias a=' % alias a= With this change the vanishing quote mark no longer vanishes and a description appears: % autoload compinit zed % compinit -D % zstyle \* format %d % alias a=' `alias definition', `regular alias', `global alias', or `suffix alias' alias definition % alias a=' And the crash no longer happens when something appears after the single quote. I note that offs gets changed in the loop in an outer "else"-branch when foredel/backdel are not called, too. However, I'm not certain that the edit should appear in BOTH hunks below. Can anyone find any other test cases that pass through this code? diff --git a/Src/Zle/zle_tricky.c b/Src/Zle/zle_tricky.c index fdd1687..2c24a13 100644 --- a/Src/Zle/zle_tricky.c +++ b/Src/Zle/zle_tricky.c @@ -1897,6 +1897,7 @@ get_comp_string(void) zlemetacs = wb; } we -= skipchars; + offs -= skipchars; } } else { ocs = zlemetacs; @@ -1910,6 +1911,7 @@ get_comp_string(void) if (wb > zlemetacs) zlemetacs = wb; we -= skipchars; + offs -= skipchars; } /* we need to get rid of all the quotation bits... */ while (skipchars--) --00000000000086f48605a929ef26--