Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

PATCH: NULL-Pointer dereference in complist.c

X-seq: zsh-workers 23144
From: Felix Eckhofer <felix@xxxxxxxxx>
To: zsh-workers@xxxxxxxxxx
Subject: PATCH: NULL-Pointer dereference in complist.c
Date: Fri, 2 Feb 2007 23:45:11 +0100
Mailing-list: contact zsh-workers-help@xxxxxxxxxx; run by ezmlm

Hi everyone.

Just recently I started to enjoy the wonders of zsh and it is definitely 
the best shell I have used so far. Thanks for a great piece of 
software!

However, I was quickly able to reproduce a segfault on my machine 
(Ubuntu 6.10, zsh 4.3.2-13ubuntu1, x86_64). It happens, because at 
complist.c:1848 s == NULL. I wasn't able to understand completely what 
happens but the attached patch works for me and seems reasonable.

Unfortunately, CVS seems down for the moment so I couldn't check whether 
this is already fixed in HEAD. If it is, ignore me :)

Steps to reproduce:
  1) Open the menu completion in interactive mode.
  2) Press backspace.

I've also attached the backtrace. Let me know if you need any further 
information.


best regards,
felix
-- 
felix_eckhofer  *  [fli4l-/eis-team]  *  ICQ#_59008162

"Ein Betriebssystem sie zu knechten, sie alle zu finden,
 ins Dunkle zu treiben und ewig zu binden..."

--- zsh-4.2.6/Src/Zle/complist.c	2005-04-25 12:20:00.000000000 +0200
+++ zsh-4.2.6-patched/Src/Zle/complist.c	2007-02-02 23:06:36.000000000 +0100
@@ -1845,6 +1845,9 @@
 {
     Menusearch s = msearchstack;
 
+    if (!s)
+        return NULL;
+
     if (s->prev)
         msearchstack = s->prev;

GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) run
Starting program: /usr/local/bin/zsh 

Program received signal SIGSEGV, Segmentation fault.
0x00002b5fcaed3658 in msearchpop (backp=0x7fffe0c27938) at complist.c:1848
1848	    if (s->prev)
(gdb) 
(gdb) bt
#0  0x00002b5fcaed3658 in msearchpop (backp=0x7fffe0c27938) at complist.c:1848
#1  0x00002b5fcaed749d in domenuselect (dummy=0x2b5fcadc1968, dat=0x7fffe0c27b00) at complist.c:2832
#2  0x000000000045d873 in runhookdef (h=0x2b5fcadc1968, d=0x7fffe0c27b00) at module.c:1859
#3  0x00002b5fcaca5a9a in after_complete (dummy=0x2b5fcab8cc98, dat=0x7fffe0c27ba0) at compcore.c:496
#4  0x000000000045d8dd in runhookdef (h=0x2b5fcab8cc98, d=0x7fffe0c27ba0) at module.c:1865
#5  0x00002b5fcaa73f38 in docomplete (lst=0) at zle_tricky.c:824
#6  0x00002b5fcaa72616 in expandorcomplete (args=0x2b5fcab8d0e0) at zle_tricky.c:288
#7  0x00002b5fcaa721dd in completecall (args=0x2b5fcab8d0e0) at zle_tricky.c:182
#8  0x00002b5fcaa64a2c in execzlefunc (func=0x2b5fcab89d58, args=0x2b5fcab8d0e0) at zle_main.c:933
#9  0x00002b5fcaa63f92 in zlecore () at zle_main.c:709
#10 0x00002b5fcaa646bc in zleread (lp=0x5c0e30, rp=0x5c0d68, flags=3, context=0) at zle_main.c:863
#11 0x0000000000443a18 in inputline () at input.c:278
#12 0x00000000004438a5 in ingetc () at input.c:214
#13 0x00000000004398b5 in ihgetc () at hist.c:241
#14 0x000000000044d016 in gettok () at lex.c:631
#15 0x000000000044c776 in yylex () at lex.c:347
#16 0x000000000046a30f in parse_event () at parse.c:449
#17 0x00000000004406c5 in loop (toplevel=1, justonce=0) at init.c:128
#18 0x00000000004433f7 in zsh_main (argc=1, argv=0x7fffe0c282b8) at init.c:1280
#19 0x000000000040d0f3 in main (argc=1, argv=0x7fffe0c282b8) at ./main.c:93
(gdb) bt full
#0  0x00002b5fcaed3658 in msearchpop (backp=0x7fffe0c27938) at complist.c:1848
	s = (Menusearch) 0x0
#1  0x00002b5fcaed749d in domenuselect (dummy=0x2b5fcadc1968, dat=0x7fffe0c27b00) at complist.c:2832
	back = 0
	np = (Cmatch **) 0x7fffe0c279b0
	p = (Cmatch **) 0x62db60
	pg = (Cmgroup *) 0x62c3a0
	cmd = (Thingy) 0x2b5fcab89790
	do_last_key = 0
	u = (Menustack) 0x0
	i = 1
	acc = 0
	wishcol = 0
	setwish = 0
	oe = 0
	wasnext = 0
	space = 39
	lbeg = 0
	step = 1
	wrap = -524125712
	pl = 1
	broken = 0
	first = 0
	nolist = 0
	mode = 2
	modecs = 14
	modell = 14
	modelen = 10
	s = 0x62f4f0 "search-forward"
	status = "isearch: \000éÉ_+\000\000\016\000\000\000\000\000\000\000ðÿÿÿÿÿÿÿ\016\000\000\000\000\000\000\000 µb", '\0' <repeats 22 times>, "\200pÊ_+\000\000\000X_\000\000\000\000\000ðzÂàÿ\177\000\000eXÊÊ_+\000\000\000\000\000\000\000\000\000\000Àq^\000\000\000\000\000\001\000\000\000\002\000\000\000\002\000\000\000\002\000\000"
	modeline = 0x2b5fca7081c0 "cd chrono-zsh/"
	fdat = (Chdata) 0x7fffe0c27b00
	lastsearch = 0x0
#2  0x000000000045d873 in runhookdef (h=0x2b5fcadc1968, d=0x7fffe0c27b00) at module.c:1859
	p = (LinkNode) 0x5dfbd0
	r = 11103
#3  0x00002b5fcaca5a9a in after_complete (dummy=0x2b5fcab8cc98, dat=0x7fffe0c27ba0) at compcore.c:496
	cdat = {matches = 0x63ea30, num = 11, nmesg = 0, cur = 0x0}
	ret = 11103
#4  0x000000000045d8dd in runhookdef (h=0x2b5fcab8cc98, d=0x7fffe0c27ba0) at module.c:1865
No locals.
#5  0x00002b5fcaa73f38 in docomplete (lst=0) at zle_tricky.c:824
	s = 0x6190e0 ' ' <repeats 14 times>
	ol = 0x0
	olst = 4
	chl = 0
	ne = 0
	ocs = 3
	ret = 0
	dat = {0, 0}
	active = 1
#6  0x00002b5fcaa72616 in expandorcomplete (args=0x2b5fcab8d0e0) at zle_tricky.c:288
	ret = 11103
#7  0x00002b5fcaa721dd in completecall (args=0x2b5fcab8d0e0) at zle_tricky.c:182
No locals.
#8  0x00002b5fcaa64a2c in execzlefunc (func=0x2b5fcab89d58, args=0x2b5fcab8d0e0) at zle_main.c:933
	atcurhist = 1
	wflags = 134
	r = 0
	ret = 0
	w = (Widget) 0x5f53e0
#9  0x00002b5fcaa63f92 in zlecore () at zle_main.c:709
No locals.
#10 0x00002b5fcaa646bc in zleread (lp=0x5c0e30, rp=0x5c0d68, flags=3, context=0) at zle_main.c:863
	s = (unsigned char *) 0x0
	old_errno = 0
	tmout = 0
	initthingy = (Thingy) 0x0
#11 0x0000000000443a18 in inputline () at input.c:278
	flags = 3
	ingetcline = 0x0
	ingetcpmptl = (char **) 0x5c0e30
	ingetcpmptr = (char **) 0x5c0d68
	context = 0
#12 0x00000000004438a5 in ingetc () at input.c:214
	lastc = 0
#13 0x00000000004398b5 in ihgetc () at hist.c:241
	c = 0
#14 0x000000000044d016 in gettok () at lex.c:631
	c = 0
	d = 0
	peekfd = -1
	peek = 0
#15 0x000000000044c776 in yylex () at lex.c:347
No locals.
#16 0x000000000046a30f in parse_event () at parse.c:449
No locals.
#17 0x00000000004406c5 in loop (toplevel=1, justonce=0) at init.c:128
	prog = (Eprog) 0x5d9490
#18 0x00000000004433f7 in zsh_main (argc=1, argv=0x7fffe0c282b8) at init.c:1280
	t = (char **) 0x7fffe0c282c0
	t0 = 156
#19 0x000000000040d0f3 in main (argc=1, argv=0x7fffe0c282b8) at ./main.c:93
No locals.
(gdb) quit
The program is running.  Exit anyway? (y or n)

Attachment: pgpV2a04bmBql.pgp
Description: PGP signature

Follow-Ups:
- Re: PATCH: NULL-Pointer dereference in complist.c
  - From: Peter Stephenson

Messages sorted by: Reverse Date, Date, Thread, Author