* Bug: Null byte in shell history causes segfault during $historywords reverse subscripting
@ 2023-05-26 19:37 Eric Freese
2023-05-27 1:46 ` Bart Schaefer
2023-06-05 7:11 ` Jun T
0 siblings, 2 replies; 4+ messages in thread
From: Eric Freese @ 2023-05-26 19:37 UTC (permalink / raw)
To: zsh-workers
Hi,
I've come across a segfault when shell history has been loaded from a
file and contains a command where a null byte was entered into the
line editor via ^V^@ (opposed to typing as $'\0'). Reverse
subscripting $historywords on a pattern that does not match triggers
the error.
I've reproduced the segfault on my local 5.9 installation as well as
in the zsh-users/zsh-docker images [1] for master, 5.4, and 4.3.11.
Here is my output. Note that I typed the ^@ by pressing ctrl+v
followed by ctrl+space.
```
% docker run --rm -it zshusers/zsh:master
06e7a43e26d3# HISTFILE=$(mktemp)
06e7a43e26d3# SAVEHIST=30
06e7a43e26d3# : ^@
06e7a43e26d3# fc -W
06e7a43e26d3# fc -R
06e7a43e26d3# echo $historywords[(r)nomatch*]
zsh: segmentation fault (core dumped) zsh -df
```
[1]: https://github.com/zsh-users/zsh-docker
Cheers,
Eric
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Bug: Null byte in shell history causes segfault during $historywords reverse subscripting
2023-05-26 19:37 Bug: Null byte in shell history causes segfault during $historywords reverse subscripting Eric Freese
@ 2023-05-27 1:46 ` Bart Schaefer
2023-05-27 7:33 ` Bart Schaefer
2023-06-05 7:11 ` Jun T
1 sibling, 1 reply; 4+ messages in thread
From: Bart Schaefer @ 2023-05-27 1:46 UTC (permalink / raw)
To: Eric Freese; +Cc: zsh-workers
On Fri, May 26, 2023 at 12:37 PM Eric Freese <ericdfreese@gmail.com> wrote:
>
> I've come across a segfault when shell history has been loaded from a
> file and contains a command where a null byte was entered into the
> line editor via ^V^@ (opposed to typing as $'\0'). Reverse
> subscripting $historywords on a pattern that does not match triggers
> the error.
I can't reproduce a crash with workers/51739 - does your build have that commit?
However, I do get:
BUG: substring ends in the middle of a metachar in ztrsub()
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Bug: Null byte in shell history causes segfault during $historywords reverse subscripting
2023-05-27 1:46 ` Bart Schaefer
@ 2023-05-27 7:33 ` Bart Schaefer
0 siblings, 0 replies; 4+ messages in thread
From: Bart Schaefer @ 2023-05-27 7:33 UTC (permalink / raw)
To: Eric Freese; +Cc: Zsh hackers list
[-- Attachment #1: Type: text/plain, Size: 206 bytes --]
On Fri, May 26, 2023 at 6:46 PM Bart Schaefer <schaefer@brasslantern.com>
wrote:
>
> I can't reproduce a crash with workers/51739
Ah, it's not that commit, it's having compiled with DEBUG defined.
[-- Attachment #2: Type: text/html, Size: 351 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Bug: Null byte in shell history causes segfault during $historywords reverse subscripting
2023-05-26 19:37 Bug: Null byte in shell history causes segfault during $historywords reverse subscripting Eric Freese
2023-05-27 1:46 ` Bart Schaefer
@ 2023-06-05 7:11 ` Jun T
1 sibling, 0 replies; 4+ messages in thread
From: Jun T @ 2023-06-05 7:11 UTC (permalink / raw)
To: zsh-workers
> 2023/05/27 4:37, Eric Freese <ericdfreese@gmail.com> wrote:
>
> I've come across a segfault when shell history has been loaded from a
> file and contains a command where a null byte was entered into the
> line editor via ^V^@ (opposed to typing as $'\0'). Reverse
> subscripting $historywords on a pattern that does not match triggers
> the error.
Is this enough?
diff --git a/Src/hist.c b/Src/hist.c
index 7e6394406..e2b4b0b22 100644
--- a/Src/hist.c
+++ b/Src/hist.c
@@ -3796,8 +3796,14 @@ histsplitwords(char *lineptr, short **wordsp, int *nwordsp, int *nwordposp,
zrealloc(words, nwords*sizeof(*words));
}
words[nwordpos++] = lineptr - start;
- while (*lineptr && !inblank(*lineptr))
- lineptr++;
+ while (*lineptr) {
+ if (*lineptr == Meta && lineptr[1])
+ lineptr += 2;
+ else if (!inblank(*lineptr))
+ lineptr++;
+ else
+ break;
+ }
words[nwordpos++] = lineptr - start;
}
} while (*lineptr);
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-06-05 7:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-26 19:37 Bug: Null byte in shell history causes segfault during $historywords reverse subscripting Eric Freese
2023-05-27 1:46 ` Bart Schaefer
2023-05-27 7:33 ` Bart Schaefer
2023-06-05 7:11 ` Jun T
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).