From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-41052-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 21047 invoked by alias); 7 May 2017 16:46:23 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 41052
Received: (qmail 22130 invoked from network); 7 May 2017 16:46:23 -0000
X-Qmail-Scanner-Diagnostics: from mail-io0-f175.google.com by f.primenet.com.au (envelope-from <dualbus@gmail.com>, uid 7791) with qmail-scanner-2.11 
 (clamdscan: 0.99.2/21882. spamassassin: 3.4.1.  
 Clear:RC:0(209.85.223.175):SA:0(-2.3/5.0):. 
 Processed in 0.698325 secs); 07 May 2017 16:46:23 -0000
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-2.3 required=5.0 tests=FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,RCVD_IN_SORBS_SPAM,SPF_PASS,
	T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.1
X-Envelope-From: dualbus@gmail.com
X-Qmail-Scanner-Mime-Attachments: |
X-Qmail-Scanner-Zip-Files: |
Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.223.175 as permitted sender)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to:cc
         :content-transfer-encoding;
        bh=skXDOWSo8EXW9v0wUPnp/3BYkQD11T2YsMbUdmGHY/g=;
        b=UwbSc/SnCwIOLqeJNjPmsoqTJjlW2nlpuy4Wyi2E6LOQmn1htwTPuZBOyut44DvpOW
         lBk56AgJAAjBQxuEyfeBzJvgu3UvF5q/QGh5M+DTgSJcECqmhwrRInwQHInw2GL3lFnJ
         vM4bmyvd2sUOy//MuLlhkDBbPZagZCV+9pRsOhW6pVb3CN+pN+zTe0+zLEacB9TrH7tG
         2VGrplcuvSo9IRdQwSWiKO6tJ7ftTUVq6SvchH+BM0UXLksp0Gg9Ms1tiT1H5acQud6w
         7EAe1Hfo/1eaPDpC1f1KFTVMpqMKNsTS6RjPX76s8wHhimhz6WuQQxw5a3+8Tmz1jilu
         e2wA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc
         :content-transfer-encoding;
        bh=skXDOWSo8EXW9v0wUPnp/3BYkQD11T2YsMbUdmGHY/g=;
        b=VuIo1PQGpoOsGEe6EAFxAhFc93hgfg65KkBW9c/9z1Ea4bd3LxyoedlgllDq7lzryp
         8Klhxq/jRFWKVskkF85ebaNWGkaOzeXUskvO/Gek7MR7GdDkOqQ+bfQyBqUfmzHfG8uU
         eoQHxi3zaZ1eZWvZuDithrZeWhbzrjE79upNSrFYosQ5HNB18f3OkqCYpSMclDzs/J9z
         FBse0GQEDRA5g1r101GjFKiOFevLlmJQxuGrOodRKqwv48OciE+5sFvH9QrOwhIStj0z
         hNDqo6KLJz/gRNhHE8QR9NNnysqu1AYKiTwZNifIU9XhWa4lIL/+1y+FhlUbwbGUQmSb
         eWkg==
X-Gm-Message-State: AODbwcBXRPyjW9TvNSwwIURBfe65mpwF6Gx8lHahTpVixrW/Yg7uSJRj
	LOUccgI4jPFEFfwr47vQOCYpVhF7qA==
X-Received: by 10.107.35.75 with SMTP id j72mr10406603ioj.180.1494175577735;
 Sun, 07 May 2017 09:46:17 -0700 (PDT)
MIME-Version: 1.0
From: Eduardo Bustamante <dualbus@gmail.com>
Date: Sun, 7 May 2017 11:45:57 -0500
Message-ID: <CAOSMAut8qq+yfOtH3XfU7oGim4CNN=YV0BxZyhU9k80RQ6khgw@mail.gmail.com>
Subject: Zsh parser segmentation fault on taddstr
To: zsh-workers@zsh.org
Cc: =?UTF-8?Q?Eduardo_A=2E_Bustamante_L=C3=B3pez?= <dualbus@gmail.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

(please keep me CC'ed, since I'm not subscribed)

Hi all, the following file crashes Zsh when run with noexec:

dualbus@mksh-parser-4pxg:~$ cat -A
cmin-zsh-crashes/output_16_crashes_id:000392,sig:11,src:016511+011323,op:sp=
lice,rep:2
if (a)M-^?^@^@<<^EM-^?^I^F|&^D\

dualbus@mksh-parser-4pxg:~$ xxd
cmin-zsh-crashes/output_16_crashes_id:000392,sig:11,src:016511+011323,op:sp=
lice,rep:2
00000000: 6966 2028 6129 ff00 003c 3c05 ff09 067c  if (a)...<<....|
00000010: 2604 5c                                  &.\

(gdb) r -nv cmin-zsh-crashes/output_16_crashes_id:000392,sig:11,src:016511+=
011323,op:splice,rep:2
Starting program: /home/dualbus/zsh/Src/zsh -nv
cmin-zsh-crashes/output_16_crashes_id:000392,sig:11,src:016511+011323,op:sp=
lice,rep:2
if (a)=EF=BF=BD<<=EF=BF=BD      |&\
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106     ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x000055555560480c in taddstr (s=3D0x800006cb54c4 <error: Cannot
access memory at address 0x800006cb54c4>) at text.c:148
#2  0x000055555560698b in gettext2 (state=3D0x7fffffffdd60) at text.c:949
#3  0x0000555555604f43 in getjobtext (prog=3D0x7ffff7ff13f8,
c=3D0x7ffff7ff143c) at text.c:337
#4  0x000055555558c394 in execpline2 (state=3D0x7fffffffe260, pcode=3D131,
how=3D18, input=3D0, output=3D0, last1=3D0) at exec.c:1865
#5  0x000055555558b08a in execpline (state=3D0x7fffffffe260,
slcode=3D32770, how=3D18, last1=3D0) at exec.c:1602
#6  0x000055555558a39e in execlist (state=3D0x7fffffffe260,
dont_change_job=3D0, exiting=3D0) at exec.c:1360
#7  0x0000555555589a44 in execode (p=3D0x7ffff7ff13f8,
dont_change_job=3D0, exiting=3D0, context=3D0x55555561a27f "toplevel") at
exec.c:1141
#8  0x00005555555aeb6b in loop (toplevel=3D1, justonce=3D0) at init.c:208
#9  0x00005555555b29bb in zsh_main (argc=3D3, argv=3D0x7fffffffe558) at ini=
t.c:1692
#10 0x000055555556a320 in main (argc=3D3, argv=3D0x7fffffffe558) at ./main.=
c:93

Bug found by fuzzing `zsh -nv @@' with AFL.