zsh 4.3.11 regexp-related crash

[Nix <nix@xxxxxxxxxxxxx>]

This is a regression in 4.3.11, not seen in 4.3.10.

The following script:

,----
| #!/bin/zsh
| 
| cat /etc/passwd | while read A; do
| 
|     if [[ $A =~ ":audio:" ]]; then
|         FBAR="foo"
|     fi
| done
`----

dumps core:

#0  0x00007fac8ee16b7f in __strlen_sse42 () from /lib/libc.so.6
#1  0x000000000046fcec in taddstr (s=0x7faca8049c40 <Address 0x7faca8049c40 out of bounds>) at text.c:115
#2  0x00000000004700e4 in taddlist (state=0x7fffe3a9a7e0, num=<value optimized out>) at text.c:141
#3  0x0000000000471134 in gettext2 (state=0x7fffe3a9a7e0) at text.c:520
#4  0x00000000004711e6 in getjobtext (prog=0x7fac8fb5f508, c=0x7fac8fb5f560) at text.c:223
#5  0x000000000042527a in execpline2 (state=0x7fffe3a9ab40, pcode=<value optimized out>, how=18, input=12, output=0, last1=0) at exec.c:1625
#6  0x00000000004251a8 in execpline2 (state=0x7fffe3a9ab40, pcode=<value optimized out>, how=18, input=0, output=0, last1=0) at exec.c:1687
#7  0x0000000000425565 in execpline (state=0x7fffe3a9ab40, slcode=<value optimized out>, how=18, last1=0) at exec.c:1416
#8  0x00000000004264a7 in execlist (state=0x7fffe3a9ab40, dont_change_job=<value optimized out>, exiting=<value optimized out>) at exec.c:1199
#9  0x00000000004267f6 in execode (p=0x7fac8fb5f508, dont_change_job=0, exiting=0, context=0x47ed45 "toplevel") at exec.c:1020
#10 0x0000000000437e01 in loop (toplevel=1, justonce=0) at init.c:185
#11 0x000000000043916e in zsh_main (argc=<value optimized out>, argv=<value optimized out>) at init.c:1508
#12 0x00007fac8ed2ed6d in __libc_start_main () from /lib/libc.so.6
#13 0x000000000040e419 in _start ()

It looks like getjobtext() is being handed an invalid string, but quite
how that gets there is beyond me right now.

Oddly, it is sensitive to the length of the FBAR variable name. FBAR
dumps core: BAR does not.