segfault

segfault

[yac yac]

[-- Attachment #1: Type: text/plain, Size: 320 bytes --]

Hi, I managed to segfault zsh:

yac@remy % zsh a.sh
b d


zsh: segmentation fault (core dumped)  zsh a.sh

using:

#! /usr/bin/env zsh

#declare -A foo=( a b c d )
function foo {
  local -A foo=( a b c d )
  echo "${(@)foo[@]}"

  bar
}

function bar {
  echo "${(P)1[@]}"
  echo "${(kP)1[@]}"
  ${(AA)1=bar=foo}
}

foo

Re: segfault

[yac yac]

[-- Attachment #1: Type: text/plain, Size: 484 bytes --]

Oh, and

% zsh --version
zsh 5.3.1 (x86_64-unknown-linux-gnu)

2017-06-04 4:59 GMT+02:00 yac yac <yac@blesmrt.net>:

> Hi, I managed to segfault zsh:
>
> yac@remy % zsh a.sh
> b d
>
>
> zsh: segmentation fault (core dumped)  zsh a.sh
>
> using:
>
> #! /usr/bin/env zsh
>
> #declare -A foo=( a b c d )
> function foo {
>   local -A foo=( a b c d )
>   echo "${(@)foo[@]}"
>
>   bar
> }
>
> function bar {
>   echo "${(P)1[@]}"
>   echo "${(kP)1[@]}"
>   ${(AA)1=bar=foo}
> }
>
> foo
>

Re: segfault

[Bart Schaefer]

On Sat, Jun 3, 2017 at 7:59 PM, yac yac <yac@blesmrt.net> wrote:
> Hi, I managed to segfault zsh:

I can reproduce, but the example provided is more complicated than
necessary.  All you need is ${(AA)1=} which tries to interpret the
positional parameter $1 as a hash table.  I haven't yet found why this
happens for positional parameters and not other parameters.

Re: segfault

[Bart Schaefer]

On Jun 3, 11:38pm, Bart Schaefer wrote:
}
} All you need is ${(AA)1=} which tries to interpret the
} positional parameter $1 as a hash table.

Any obvious problems with the following?  Other than that t = "1" so it
ends up looking like a line number in the error message -- but I'm not
sure what to do with that without changing the error message format for
other parameters.


diff --git a/Src/params.c b/Src/params.c
index d92dd22..6fbee88 100644
--- a/Src/params.c
+++ b/Src/params.c
@@ -3242,12 +3242,17 @@ sethparam(char *s, char **val)
     if (!(v = fetchvalue(&vbuf, &s, 1, SCANPM_ASSIGNING))) {
 	createparam(t, PM_HASHED);
 	checkcreate = 1;
-    } else if (!(PM_TYPE(v->pm->node.flags) & PM_HASHED) &&
-	     !(v->pm->node.flags & PM_SPECIAL)) {
-	unsetparam(t);
-	/* no WARNCREATEGLOBAL check here as parameter already existed */
-	createparam(t, PM_HASHED);
-	v = NULL;
+    } else if (!(PM_TYPE(v->pm->node.flags) & PM_HASHED)) {
+	if (!(v->pm->node.flags & PM_SPECIAL)) {
+	    unsetparam(t);
+	    /* no WARNCREATEGLOBAL check here as parameter already existed */
+	    createparam(t, PM_HASHED);
+	    v = NULL;
+	} else {
+	    zerr("%s: can't change type of a special parameter", t);
+	    unqueue_signals();
+	    return NULL;
+	}
     }
     if (!v)
 	if (!(v = fetchvalue(&vbuf, &t, 1, SCANPM_ASSIGNING))) {

Re: segfault

[Peter Stephenson]

On Sun, 4 Jun 2017 21:00:22 -0700
Bart Schaefer <schaefer@brasslantern.com> wrote:
> On Jun 3, 11:38pm, Bart Schaefer wrote:
> }
> } All you need is ${(AA)1=} which tries to interpret the
> } positional parameter $1 as a hash table.
> 
> Any obvious problems with the following?

That looks a definite improvement.

pws