Possible NULL deref in cfp_matcher_range?

zsh-workers
 help / color / mirror / code / Atom feed

From: Mikael Magnusson <mikachu@gmail.com>
To: zsh workers <zsh-workers@zsh.org>
Subject: Possible NULL deref in cfp_matcher_range?
Date: Sun, 5 Jul 2015 16:52:19 +0200	[thread overview]
Message-ID: <CAHYJk3TCpJ9=GWttiD3QKWRuqMtKmyWyqv2gkcgsQy=NruKpHQ@mail.gmail.com> (raw)

Checking some stuff with clang, and it complained here;

static char *
cfp_matcher_range(Cmatcher *ms, char *add)
{
    Cmatcher *mp, m;
    int len = 0, mt;
    char *ret = NULL, *p = NULL, *adds = add;

    /*
     * Do this twice:  once to work out the length of the
     * string in len, the second time to build it in ret.
     * This is probably worthwhile because otherwise memory
     * management is difficult.
     */
    for (;;) {
    MB_METACHARINIT();
    for (mp = ms; *add; ) {
        convchar_t addc;
        int addlen;

        addlen = MB_METACHARLENCONV(add, &addc);
#ifdef MULTIBYTE_SUPPORT
        if (addc == WEOF)
        addc = (wchar_t)(*p == Meta ? p[1] ^ 32 : *p);
#endif

First run through this code p is NULL, and the other places all (at
least the ones I looked at) protect accesses to p by "if (ret)" (which
is set at the same time as p). Should this do that, and/or do
something clever with len at the same time? Is there any way to
actually trigger addc to be WEOF here? Presumably if it is WEOF on the
second run when  is set, then it was also WEOF the first time.

-- 
Mikael Magnusson

next             reply	other threads:[~2015-07-05 14:52 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-07-05 14:52 Mikael Magnusson [this message]
2015-07-05 17:34 ` Peter Stephenson
2015-07-05 21:16   ` Mikael Magnusson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAHYJk3TCpJ9=GWttiD3QKWRuqMtKmyWyqv2gkcgsQy=NruKpHQ@mail.gmail.com' \
    --to=mikachu@gmail.com \
    --cc=zsh-workers@zsh.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).