From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 23545 invoked by alias); 17 Feb 2015 09:02:21 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 34562 Received: (qmail 2015 invoked from network); 17 Feb 2015 09:02:18 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Rqe+4Zd7FrqtKZfGligjNq7dUM+Vq8mo96lHTKi5Co4=; b=fFI9L3qUossnpqMGmGXx9GK6+r/rb7l2Rc/mTq0jqfrWHXJ8IP7aZZdojdnigZo7BR qW7ZfKnJqgQ1YuwGV3oq/ttfLDvgmzFZqIXj7wPKjhsZUzUXy6oAf2O1Pu7PhCz/SSse 9ZvD7OqkSu79phB5zmAdhgsNGc9KpzYGasw9Xz+a2M/vtr2mnjvsFZU8ck1D/Da6Q2Xm oOFmybNAiwvB9bSNxpFnKaWu57vbjKH+Z3s8DXG3ekfiO1vAadEFEeTAbW0lRO5aW+1G KpgOJn3B0W9+/Tz8zhi9LEtk5lDqDOY52ZdyoxQdc4YE4ZSOUmVSFOSCoCpJbvX/XqXD uROw== MIME-Version: 1.0 X-Received: by 10.42.138.199 with SMTP id d7mr33633864icu.3.1424163734880; Tue, 17 Feb 2015 01:02:14 -0800 (PST) In-Reply-To: <20150216170413.054623af@pwslap01u.europe.root.pri> References: <150214102534.ZM4368@torch.brasslantern.com> <20150214214209.6d2f5e7e@ntlworld.com> <150215112622.ZM11584@torch.brasslantern.com> <20150216125749.7a26822c@pwslap01u.europe.root.pri> <20150216170413.054623af@pwslap01u.europe.root.pri> Date: Tue, 17 Feb 2015 10:02:14 +0100 Message-ID: Subject: Re: PATCH: Crash bug on garbage input (previously reported to Debian) From: Mikael Magnusson To: Peter Stephenson Cc: zsh workers Content-Type: text/plain; charset=UTF-8 On Mon, Feb 16, 2015 at 6:04 PM, Peter Stephenson wrote: > Here's a simple fix for appending to the input buffer instead of > replacing it for this case. > > diff --git a/Src/input.c b/Src/input.c > index 9520fdd..f919e57 100644 > --- a/Src/input.c > +++ b/Src/input.c > @@ -330,8 +330,37 @@ inputline(void) > } > } > isfirstch = 1; > - /* Put this into the input channel. */ > - inputsetline(ingetcline, INP_FREE); > + if ((inbufflags & INP_APPEND) && inbuf) { > + /* > + * We need new input but need to be able to back up > + * over the old input, so append this line. > + * Pushing the line onto the stack doesn't have the right > + * effect. > + * > + * This is quite a simple and inefficient fix, but currently > + * we only need it when backing up over a multi-line $((... > + * that turned out to be a command substitution rather than > + * a math substitution, which is a very special case. > + * So it's not worth rewriting. > + */ > + char *oinbuf = inbuf; > + int newlen = strlen(ingetcline); > + int oldlen = (int)(inbufptr - inbuf) + inbufleft; > + if (inbufflags & INP_FREE) { > + inbuf = realloc(inbuf, oldlen + newlen + 1); > + inbufptr += inbuf - oinbuf; > + strcpy(inbuf + oldlen, ingetcline); Coverity complains that ingetcline is not freed in the above path. +free(ingetcline); here? > + } else { > + /* Paranoia: don't think this is used */ > + DPUTS(1, "Appending to unallocated input line."); > + } > + inbufleft += newlen; > + inbufct += newlen; > + inbufflags |= INP_FREE; > + } else { > + /* Put this into the input channel. */ > + inputsetline(ingetcline, INP_FREE); > + } > > return 0; > } -- Mikael Magnusson