From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-41064-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 24660 invoked by alias); 8 May 2017 13:54:12 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 41064
Received: (qmail 21408 invoked from network); 8 May 2017 13:54:12 -0000
X-Qmail-Scanner-Diagnostics: from mail-io0-f179.google.com by f.primenet.com.au (envelope-from <dualbus@gmail.com>, uid 7791) with qmail-scanner-2.11 
 (clamdscan: 0.99.2/21882. spamassassin: 3.4.1.  
 Clear:RC:0(209.85.223.179):SA:0(-2.3/5.0):. 
 Processed in 1.781096 secs); 08 May 2017 13:54:12 -0000
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-2.3 required=5.0 tests=FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,RCVD_IN_SORBS_SPAM,SPF_PASS,
	T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.1
X-Envelope-From: dualbus@gmail.com
X-Qmail-Scanner-Mime-Attachments: |
X-Qmail-Scanner-Zip-Files: |
Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.223.179 as permitted sender)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to:cc;
        bh=wCRArDWfRzH9kt2mMFtFshkDaiDMiweaa6z/RLLKnD0=;
        b=tDU5ucWLv0M+9zOnZzgDARRsl9ENkqkPNI5Jut42XF0RybSvESIkBPU4pkceZHAkni
         pgLOPly2tsJNoh2HztpeXARvMewnTKSap95NAs5qm6CVYhZXi2ysj++SpCdw+rJAhjaZ
         oLxJ7cjhoAoixXt643BnBkYx60TsIbPIBm5LzIoCxMQHVWAfHUIsbHYsKIcODB41Bt8B
         qCXtudoB2uKBh0PYKK/8kCWRB2f2sRyKWnlq8GVX8+L+7r1hK3hCR4S3Mq8cM6zdHDOk
         T9uFQcATmRnkrZ9MGeZzAJzEd3iwGmMRfUYbV4OymqLWDeHVSebwzA8GADyMbxAXRAU5
         arSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc;
        bh=wCRArDWfRzH9kt2mMFtFshkDaiDMiweaa6z/RLLKnD0=;
        b=IvANz1vCUcIZ3V5L16MfipMhQclsrPQNwB9EZKegsgRCkjTK6gORmryvgvwKBqQElX
         YXc05MhMKAFP78AQfVQwdDOeE93bggyYZo5LTnO8mh8XAPLKLO5/i39bsQ7n0O1rLdbF
         3Wkawq4f03pNsj+QWLrxvtJ763UNEPH9ffnPrw+WDivN2lR4DnIvE9hrLHVnynT9Cogv
         b/Swz83gs5jm4t0I5S77vZYuXJ9PHFH+cCKgsYqdlLy/+qSztw3DZNV3u5QhQVvgFurM
         1MPPVYIbp7mHtIDADJHG95FnSiazCMlnyUxMNv/8L20n2NFZ65qGRVxsocx+K9a8LZp3
         +JTA==
X-Gm-Message-State: AN3rC/7fabQ+4D7/bVTg8Jxqd1M7ECpF2MUhcAv4JAh2yE39tRRN/cQO
	n42rk0WHraP76X4Jx8E9O18HLsEOVg==
X-Received: by 10.107.185.10 with SMTP id j10mr29662527iof.3.1494251647241;
 Mon, 08 May 2017 06:54:07 -0700 (PDT)
MIME-Version: 1.0
From: Eduardo Bustamante <dualbus@gmail.com>
Date: Mon, 8 May 2017 08:53:46 -0500
Message-ID: <CAOSMAusOHHM-4Y8w24wSwX6i5_YP2Q1nXD2cc6+jibXR=PNhKQ@mail.gmail.com>
Subject: Zsh parser malloc corruption
To: zsh-workers@zsh.org
Cc: =?UTF-8?Q?Eduardo_A=2E_Bustamante_L=C3=B3pez?= <dualbus@gmail.com>
Content-Type: text/plain; charset=UTF-8

dualbus@debian:~/bash-fuzzing/zsh-parser$ cat -v malloc-corruption
0000000000000000000000000000000000000000${0#0000000000000000^@000000000000000000000000000000000000000000000000000^@^@000M-^GM-^O0000000$000000#000000000000$$$0}000000000000&0000000000000000000000000000000000000000000000000000000000000000&00000000

dualbus@debian:~/bash-fuzzing/zsh-parser$ base64 malloc-corruption
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMCR7MCMwMDAwMDAwMDAwMDAw
MDAwADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMAAA
MDAwh48wMDAwMDAwJDAwMDAwMCMwMDAwMDAwMDAwMDAkJCQwfTAwMDAwMDAwMDAwMCYwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
JjAwMDAwMDAwCg==

dualbus@debian:~/bash-fuzzing/zsh-parser$ ~/src/zsh/zsh/Src/zsh -n
malloc-corruption
*** Error in `/home/dualbus/src/zsh/zsh/Src/zsh': malloc(): memory
corruption: 0x0000000000aca090 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f47ad245bcb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7f47ad24bf96]
/lib/x86_64-linux-gnu/libc.so.6(+0x78f69)[0x7f47ad24df69]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7f47ad24fd84]
/home/dualbus/src/zsh/zsh/Src/zsh(zalloc+0x3c)[0x4798dc]
/home/dualbus/src/zsh/zsh/Src/zsh(setunderscore+0xa2)[0x435892]
/home/dualbus/src/zsh/zsh/Src/zsh[0x43d6b5]
/home/dualbus/src/zsh/zsh/Src/zsh[0x43b804]
/home/dualbus/src/zsh/zsh/Src/zsh[0x433f6e]
/home/dualbus/src/zsh/zsh/Src/zsh(execlist+0x64e)[0x432dfe]
/home/dualbus/src/zsh/zsh/Src/zsh(execode+0x11e)[0x43277e]
/home/dualbus/src/zsh/zsh/Src/zsh(loop+0x416)[0x45e366]
/home/dualbus/src/zsh/zsh/Src/zsh(zsh_main+0x366)[0x4627d6]
/home/dualbus/src/zsh/zsh/Src/zsh(main+0x22)[0x411a32]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f47ad1f52b1]
/home/dualbus/src/zsh/zsh/Src/zsh(_start+0x2a)[0x41193a]
======= Memory map: ========
00400000-004e9000 r-xp 00000000 fe:01 18487233
  /home/dualbus/src/zsh/zsh/Src/zsh
006e9000-006ea000 r--p 000e9000 fe:01 18487233
  /home/dualbus/src/zsh/zsh/Src/zsh
006ea000-006f1000 rw-p 000ea000 fe:01 18487233
  /home/dualbus/src/zsh/zsh/Src/zsh
006f1000-00704000 rw-p 00000000 00:00 0
00ab3000-00ad4000 rw-p 00000000 00:00 0                                  [heap]
7f47a8000000-7f47a8021000 rw-p 00000000 00:00 0
7f47a8021000-7f47ac000000 ---p 00000000 00:00 0
7f47ac563000-7f47ac579000 r-xp 00000000 fe:01 1310769
  /lib/x86_64-linux-gnu/libgcc_s.so.1
7f47ac579000-7f47ac778000 ---p 00016000 fe:01 1310769
  /lib/x86_64-linux-gnu/libgcc_s.so.1
7f47ac778000-7f47ac779000 r--p 00015000 fe:01 1310769
  /lib/x86_64-linux-gnu/libgcc_s.so.1
7f47ac779000-7f47ac77a000 rw-p 00016000 fe:01 1310769
  /lib/x86_64-linux-gnu/libgcc_s.so.1
7f47ac77a000-7f47ac784000 r-xp 00000000 fe:01 1311265
  /lib/x86_64-linux-gnu/libnss_files-2.24.so
7f47ac784000-7f47ac984000 ---p 0000a000 fe:01 1311265
  /lib/x86_64-linux-gnu/libnss_files-2.24.so
7f47ac984000-7f47ac985000 r--p 0000a000 fe:01 1311265
  /lib/x86_64-linux-gnu/libnss_files-2.24.so
7f47ac985000-7f47ac986000 rw-p 0000b000 fe:01 1311265
  /lib/x86_64-linux-gnu/libnss_files-2.24.so
7f47ac986000-7f47ac98c000 rw-p 00000000 00:00 0
7f47ac98c000-7f47ac997000 r-xp 00000000 fe:01 1311269
  /lib/x86_64-linux-gnu/libnss_nis-2.24.so
7f47ac997000-7f47acb96000 ---p 0000b000 fe:01 1311269
  /lib/x86_64-linux-gnu/libnss_nis-2.24.so
7f47acb96000-7f47acb97000 r--p 0000a000 fe:01 1311269
  /lib/x86_64-linux-gnu/libnss_nis-2.24.so
7f47acb97000-7f47acb98000 rw-p 0000b000 fe:01 1311269
  /lib/x86_64-linux-gnu/libnss_nis-2.24.so
7f47acb98000-7f47acbac000 r-xp 00000000 fe:01 1311178
  /lib/x86_64-linux-gnu/libnsl-2.24.so
7f47acbac000-7f47acdac000 ---p 00014000 fe:01 1311178
  /lib/x86_64-linux-gnu/libnsl-2.24.so
7f47acdac000-7f47acdad000 r--p 00014000 fe:01 1311178
  /lib/x86_64-linux-gnu/libnsl-2.24.so
7f47acdad000-7f47acdae000 rw-p 00015000 fe:01 1311178
  /lib/x86_64-linux-gnu/libnsl-2.24.so
7f47acdae000-7f47acdb0000 rw-p 00000000 00:00 0
7f47acdb0000-7f47acdb7000 r-xp 00000000 fe:01 1311180
  /lib/x86_64-linux-gnu/libnss_compat-2.24.so
7f47acdb7000-7f47acfb6000 ---p 00007000 fe:01 1311180
  /lib/x86_64-linux-gnu/libnss_compat-2.24.so
7f47acfb6000-7f47acfb7000 r--p 00006000 fe:01 1311180
  /lib/x86_64-linux-gnu/libnss_compat-2.24.so
7f47acfb7000-7f47acfb8000 rw-p 00007000 fe:01 1311180
  /lib/x86_64-linux-gnu/libnss_compat-2.24.so
7f47acfb8000-7f47acfd0000 r-xp 00000000 fe:01 1311335
  /lib/x86_64-linux-gnu/libpthread-2.24.so
7f47acfd0000-7f47ad1cf000 ---p 00018000 fe:01 1311335
  /lib/x86_64-linux-gnu/libpthread-2.24.so
7f47ad1cf000-7f47ad1d0000 r--p 00017000 fe:01 1311335
  /lib/x86_64-linux-gnu/libpthread-2.24.so
7f47ad1d0000-7f47ad1d1000 rw-p 00018000 fe:01 1311335
  /lib/x86_64-linux-gnu/libpthread-2.24.so
7f47ad1d1000-7f47ad1d5000 rw-p 00000000 00:00 0
7f47ad1d5000-7f47ad36a000 r-xp 00000000 fe:01 1311151
  /lib/x86_64-linux-gnu/libc-2.24.so
7f47ad36a000-7f47ad569000 ---p 00195000 fe:01 1311151
  /lib/x86_64-linux-gnu/libc-2.24.so
7f47ad569000-7f47ad56d000 r--p 00194000 fe:01 1311151
  /lib/x86_64-linux-gnu/libc-2.24.so
7f47ad56d000-7f47ad56f000 rw-p 00198000 fe:01 1311151
  /lib/x86_64-linux-gnu/libc-2.24.so
7f47ad56f000-7f47ad573000 rw-p 00000000 00:00 0
7f47ad573000-7f47ad676000 r-xp 00000000 fe:01 1311172
  /lib/x86_64-linux-gnu/libm-2.24.so
7f47ad676000-7f47ad875000 ---p 00103000 fe:01 1311172
  /lib/x86_64-linux-gnu/libm-2.24.so
7f47ad875000-7f47ad876000 r--p 00102000 fe:01 1311172
  /lib/x86_64-linux-gnu/libm-2.24.so
7f47ad876000-7f47ad877000 rw-p 00103000 fe:01 1311172
  /lib/x86_64-linux-gnu/libm-2.24.so
7f47ad877000-7f47ad87e000 r-xp 00000000 fe:01 1313974
  /lib/x86_64-linux-gnu/librt-2.24.so
7f47ad87e000-7f47ada7d000 ---p 00007000 fe:01 1313974
  /lib/x86_64-linux-gnu/librt-2.24.so
7f47ada7d000-7f47ada7e000 r--p 00006000 fe:01 1313974
  /lib/x86_64-linux-gnu/librt-2.24.so
7f47ada7e000-7f47ada7f000 rw-p 00007000 fe:01 1313974
  /lib/x86_64-linux-gnu/librt-2.24.so
7f47ada7f000-7f47adaa4000 r-xp 00000000 fe:01 1310814
  /lib/x86_64-linux-gnu/libtinfo.so.5.9
7f47adaa4000-7f47adca4000 ---p 00025000 fe:01 1310814
  /lib/x86_64-linux-gnu/libtinfo.so.5.9
7f47adca4000-7f47adca8000 r--p 00025000 fe:01 1310814
  /lib/x86_64-linux-gnu/libtinfo.so.5.9
7f47adca8000-7f47adca9000 rw-p 00029000 fe:01 1310814
  /lib/x86_64-linux-gnu/libtinfo.so.5.9
7f47adca9000-7f47adcac000 r-xp 00000000 fe:01 1311170
  /lib/x86_64-linux-gnu/libdl-2.24.so
7f47adcac000-7f47adeab000 ---p 00003000 fe:01 1311170
  /lib/x86_64-linux-gnu/libdl-2.24.so
7f47adeab000-7f47adeac000 r--p 00002000 fe:01 1311170
  /lib/x86_64-linux-gnu/libdl-2.24.so
7f47adeac000-7f47adead000 rw-p 00003000 fe:01 1311170
  /lib/x86_64-linux-gnu/libdl-2.24.so
7f47adead000-7f47aded0000 r-xp 00000000 fe:01 1310733
  /lib/x86_64-linux-gnu/ld-2.24.so
7f47adf32000-7f47adf37000 rw-p 00000000 00:00 0
7f47adf37000-7f47adf88000 r--p 00000000 fe:01 26351510
  /usr/lib/locale/aa_DJ.utf8/LC_CTYPE
7f47adf88000-7f47ae0b8000 r--p 00000000 fe:01 26351509
  /usr/lib/locale/aa_DJ.utf8/LC_COLLATE
7f47ae0b8000-7f47ae0bc000 rw-p 00000000 00:00 0
7f47ae0bc000-7f47ae0bd000 r--p 00000000 fe:01 26351533
  /usr/lib/locale/aa_ET/LC_NUMERIC
7f47ae0bd000-7f47ae0be000 r--p 00000000 fe:01 26480725
  /usr/lib/locale/en_US.utf8/LC_TIME
7f47ae0be000-7f47ae0bf000 r--p 00000000 fe:01 26355066
  /usr/lib/locale/chr_US/LC_MONETARY
7f47ae0bf000-7f47ae0c0000 r--p 00000000 fe:01 26355282
  /usr/lib/locale/en_AG/LC_MESSAGES/SYS_LC_MESSAGES
7f47ae0c0000-7f47ae0c1000 r--p 00000000 fe:01 26355068
  /usr/lib/locale/chr_US/LC_PAPER
7f47ae0c1000-7f47ae0c2000 r--p 00000000 fe:01 26355067
  /usr/lib/locale/chr_US/LC_NAME
7f47ae0c2000-7f47ae0c3000 r--p 00000000 fe:01 26480723
  /usr/lib/locale/en_US.utf8/LC_ADDRESS
7f47ae0c3000-7f47ae0c4000 r--p 00000000 fe:01 26355069
  /usr/lib/locale/chr_US/LC_TELEPHONE
7f47ae0c4000-7f47ae0c5000 r--p 00000000 fe:01 26355064
  /usr/lib/locale/chr_US/LC_MEASUREMENT
7f47ae0c5000-7f47ae0cc000 r--s 00000000 fe:01 25449459
  /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
7f47ae0cc000-7f47ae0cd000 r--p 00000000 fe:01 26480724
  /usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
7f47ae0cd000-7f47ae0d0000 rw-p 00000000 00:00 0
7f47ae0d0000-7f47ae0d1000 r--p 00023000 fe:01 1310733
  /lib/x86_64-linux-gnu/ld-2.24.so
7f47ae0d1000-7f47ae0d2000 rw-p 00024000 fe:01 1310733
  /lib/x86_64-linux-gnu/ld-2.24.so
7f47ae0d2000-7f47ae0d3000 rw-p 00000000 00:00 0
7ffd82d8d000-7ffd82dae000 rw-p 00000000 00:00 0                          [stack]
7ffd82de7000-7ffd82de9000 r--p 00000000 00:00 0                          [vvar]
7ffd82de9000-7ffd82deb000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
  [vsyscall]
Aborted

(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff71353fa in __GI_abort () at abort.c:89
#2  0x00007ffff7171bd0 in __libc_message (do_abort=do_abort@entry=2,
    fmt=fmt@entry=0x7ffff7266bd0 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007ffff7177f96 in malloc_printerr (action=3,
str=0x7ffff72637cb "malloc(): memory corruption", ptr=<optimized out>,
    ar_ptr=<optimized out>) at malloc.c:5046
#4  0x00007ffff7179f69 in _int_malloc (av=av@entry=0x7ffff7499b00
<main_arena>, bytes=bytes@entry=96) at malloc.c:3509
#5  0x00007ffff717bd84 in __GI___libc_malloc (bytes=96) at malloc.c:2925
#6  0x00000000004798dc in zalloc (size=96) at mem.c:966
#7  0x0000000000435892 in setunderscore (str=0x7ffff7e5bc18 '0'
<repeats 40 times>, "malloc-corruption", '0' <repeats 12 times>)
    at exec.c:2518
#8  0x000000000043d6b5 in execcmd_exec (state=0x7fffffffde20,
eparams=0x7fffffffcce0, input=0, output=0, how=4, last1=2)
    at exec.c:3183
#9  0x000000000043b804 in execpline2 (state=0x7fffffffde20, pcode=131,
how=4, input=0, output=0, last1=0) at exec.c:1873
#10 0x0000000000433f6e in execpline (state=0x7fffffffde20,
slcode=3074, how=4, last1=0) at exec.c:1602
#11 0x0000000000432dfe in execlist (state=0x7fffffffde20,
dont_change_job=0, exiting=0) at exec.c:1360
#12 0x000000000043277e in execode (p=0x7ffff7e5b5c0,
dont_change_job=0, exiting=0, context=0x4d90c4 "toplevel") at
exec.c:1141
#13 0x000000000045e366 in loop (toplevel=1, justonce=0) at init.c:208
#14 0x00000000004627d6 in zsh_main (argc=3, argv=0x7fffffffe448) at init.c:1692
#15 0x0000000000411a32 in main (argc=3, argv=0x7fffffffe448) at ./main.c:93