PATCH: segfault bug in menu selection

PATCH: segfault bug in menu selection

[Jonathan Paisley]

Hi,

This is a repost of a bug report I sent in January 2003. I have a
temporary workaround which is included below as a patch against zsh-4.0.6
(although I seem to remember that it applied fairly easily to the CVS
version then).

I'm not subscribed to the list; please include my address in any replies.

The original message (also quoted below):

	http://www.zsh.org/cgi-bin/mla/redirect?WORKERNUMBER=18128

The patch:

--- /tmp/zsh-4.0.6/Src/Zle/complist.c	Fri Aug  9 14:30:30 2002
+++ zsh-4.0.6/Src/Zle/complist.c	Thu Jan 23 11:31:41 2003
@@ -395,6 +395,7 @@
 static int mlprinted;
 static char *mstatus, *mlistp;
 static Cmatch **mtab, **mmtabp;
+static int mtab_been_reallocated;
 static Cmgroup *mgtab, *mgtabp;
 static struct listcols mcolors;

@@ -1573,6 +1574,8 @@
     if (mnew) {
 	int i;

+    	mtab_been_reallocated = 1;
+
 	i = columns * listdat.nlines;
 	free(mtab);
 	mtab = (Cmatch **) zalloc(i * sizeof(Cmatch **));
@@ -1647,6 +1650,7 @@
     Cmatch **p;
     Cmgroup *pg;
     Thingy cmd;
+    int     do_last_key = 0;
     Menustack u = NULL;
     int i = 0, acc = 0, wishcol = 0, setwish = 0, oe = onlyexpl, wasnext = 0;
     int space, lbeg = 0, step = 1, wrap, pl = nlnct, broken = 0, first = 1;
@@ -1689,6 +1693,7 @@
     mlines = 999999;
     mlbeg = 0;
     for (;;) {
+    	mtab_been_reallocated = 0;
 	if (mline < 0) {
 	    int x, y;
 	    Cmatch **p = mtab;
@@ -1778,7 +1783,16 @@

     getk:

-	if (!(cmd = getkeycmd()) || cmd == Th(z_sendbreak)) {
+    	if (!do_last_key) {
+	    cmd = getkeycmd();
+	    if (mtab_been_reallocated) {
+		do_last_key = 1;
+		continue;
+	    }
+    	}
+	do_last_key = 0;
+
+	if (!cmd || cmd == Th(z_sendbreak)) {
 	    zbeep();
 	    break;
 	} else if (nolist && cmd != Th(z_undo)) {


---------- Forwarded message ----------
From: jp-www
To: zsh-workers
Date: Sat, 18 Jan 2003 21:47:59 +0000 (GMT)
Subject: segfault bug in menu selection + diagnosis

Hi,

I'm new to zsh and have been playing with the nice completion stuff. I've
found a segfaulting bug which appears to be reproducable. This was against
zsh-4.0.6, but I've also confirmed it with the HEAD branch in CVS (18/1/03
21:20).

Steps to reproduce:

1. Start a new shell which uses new-style completion and the following
styles:

 zstyle ':completion:*:kill:*' menu yes select
 zstyle ':completion:*:kill:*' force-list always

These aren't actually necessary -- if you press tab enough times to
get the menu select to appear it happens too.

2. Type 'kill '
3. Press tab to get menu selection of processes (so a single process ID
appears on the command line and the first process in the list is
highlighted)
4. Resize your terminal to make it a bit wider, causing a SIGWINCH
5. Press the UP arrow
6. Segmentation fault should occur

If it doesn't happen straight away, try starting afresh and moving around
a little bit with the arrows before resizing.

This was on an i386 RedHat 8.0 system. The info below pertains to
zsh-4.0.6.

Backtrace indicates that the crash occurs in domenuselect() in
complist.c:2272, in a call to dosingle(**p), while deferencing p twice.
The memory it pointed to has been freed, and doing

  print (char*) p

in gdb shows a string (in this case):

  "=01;31:(jobs)*.Z=01;31:(jobs)*.gz=01;"...

So I suppose the memory has been reused for some strings that
have been later allocated.


I don't know enough about the structure of the source code to fix the
problem, but I think it's happening because the zrefresh() that's
called as a result of handling the SIGWINCH (the signal is delivered
during the domenuselect call to getkeycmd() at line 1781) eventually
causes complistmatches() to be called, thus freeing the 'mtab' global
array unexpectedly (at least to domenuselect()), so 'p' is invalid.

Thanks. I hope I've provided enough information to resolve the issue.

Re: PATCH: segfault bug in menu selection

[Peter Stephenson]

Jonathan Paisley wrote:
> Hi,
> 
> This is a repost of a bug report I sent in January 2003. I have a
> temporary workaround which is included below as a patch against zsh-4.0.6
> (although I seem to remember that it applied fairly easily to the CVS
> version then).

Thanks, I've applied this --- it looks extremely unlikely anyone is
going to be doing anything else with this part of the code in the near
future since the maintainer isn't working on it any more.

-- 
Peter Stephenson <pws@csr.com>                  Software Engineer
CSR Ltd., Science Park, Milton Road,
Cambridge, CB4 0WH, UK                          Tel: +44 (0)1223 692070


**********************************************************************
The information transmitted is intended only for the person or
entity to which it is addressed and may contain confidential 
and/or privileged material. 
Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by 
persons or entities other than the intended recipient is 
prohibited.  
If you received this in error, please contact the sender and 
delete the material from any computer.
**********************************************************************