Bug: Null byte in shell history causes segfault during $historywords reverse subscripting

Bug: Null byte in shell history causes segfault during $historywords reverse subscripting

[Eric Freese]

Hi,

I've come across a segfault when shell history has been loaded from a
file and contains a command where a null byte was entered into the
line editor via ^V^@ (opposed to typing as $'\0'). Reverse
subscripting $historywords on a pattern that does not match triggers
the error.

I've reproduced the segfault on my local 5.9 installation as well as
in the zsh-users/zsh-docker images [1] for master, 5.4, and 4.3.11.

Here is my output. Note that I typed the ^@ by pressing ctrl+v
followed by ctrl+space.

```
% docker run --rm -it zshusers/zsh:master
06e7a43e26d3# HISTFILE=$(mktemp)
06e7a43e26d3# SAVEHIST=30
06e7a43e26d3# : ^@
06e7a43e26d3# fc -W
06e7a43e26d3# fc -R
06e7a43e26d3# echo $historywords[(r)nomatch*]
zsh: segmentation fault (core dumped)  zsh -df
```

[1]: https://github.com/zsh-users/zsh-docker

Cheers,
Eric

Re: Bug: Null byte in shell history causes segfault during $historywords reverse subscripting

[Bart Schaefer]

On Fri, May 26, 2023 at 12:37 PM Eric Freese <ericdfreese@gmail.com> wrote:
>
> I've come across a segfault when shell history has been loaded from a
> file and contains a command where a null byte was entered into the
> line editor via ^V^@ (opposed to typing as $'\0'). Reverse
> subscripting $historywords on a pattern that does not match triggers
> the error.

I can't reproduce a crash with workers/51739 - does your build have that commit?

However, I do get:
BUG: substring ends in the middle of a metachar in ztrsub()

Re: Bug: Null byte in shell history causes segfault during $historywords reverse subscripting

[Bart Schaefer]

[-- Attachment #1: Type: text/plain, Size: 206 bytes --]

On Fri, May 26, 2023 at 6:46 PM Bart Schaefer <schaefer@brasslantern.com>
wrote:
>
> I can't reproduce a crash with workers/51739

Ah, it's not that commit, it's having compiled with DEBUG defined.

[-- Attachment #2: Type: text/html, Size: 351 bytes --]

Re: Bug: Null byte in shell history causes segfault during $historywords reverse subscripting

[Jun T]

> 2023/05/27 4:37, Eric Freese <ericdfreese@gmail.com> wrote:
> 
> I've come across a segfault when shell history has been loaded from a
> file and contains a command where a null byte was entered into the
> line editor via ^V^@ (opposed to typing as $'\0'). Reverse
> subscripting $historywords on a pattern that does not match triggers
> the error.

Is this enough?


diff --git a/Src/hist.c b/Src/hist.c
index 7e6394406..e2b4b0b22 100644
--- a/Src/hist.c
+++ b/Src/hist.c
@@ -3796,8 +3796,14 @@ histsplitwords(char *lineptr, short **wordsp, int *nwordsp, int *nwordposp,
 			zrealloc(words, nwords*sizeof(*words));
 		}
 		words[nwordpos++] = lineptr - start;
-		while (*lineptr && !inblank(*lineptr))
-		    lineptr++;
+		while (*lineptr) {
+		    if (*lineptr == Meta && lineptr[1])
+			lineptr += 2;
+		    else if (!inblank(*lineptr))
+			lineptr++;
+		    else
+			break;
+		}
 		words[nwordpos++] = lineptr - start;
 	    }
 	} while (*lineptr);