Re: zsh 4.3.13 released

[Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx>]

On Sat, 3 Dec 2011 23:19:54 +0100
ports@xxxxxxxxxxxx wrote:
> % zmodload -i bogus/notamodule
> Segmentation fault (core dumped)
>....
> #0  0x000000000048f5bc in metafy (buf=0x207a096d7 "File not found", len=14, heap=1) at utils.c:4006
> 4006        *e = '\0';
> (gdb) bt
> #0  0x000000000048f5bc in metafy (buf=0x207a096d7 "File not found", len=14, heap=1) at utils.c:4006

heap=1 is META_USEHEAP: "get memory from the heap.  This leaves buf
unchanged."  However, the function unconditionally attempts to add nullL
termination.  A defence lawyer could probably claim that adding a null
when there was one already there wasn't actually modification.  Not sure
how we've avoided seeing this before.

It seems some parts of the code are relying on the fact that the NULL
gets added even if the string doesn't need metafying.  Treating the
absence of NULL termination as a reason for modifying the buffer was the
neatest of the three fixes I came up with.

Index: Src/utils.c
===================================================================
RCS file: /cvsroot/zsh/zsh/Src/utils.c,v
retrieving revision 1.264
diff -p -u -r1.264 utils.c
--- Src/utils.c	15 Nov 2011 15:08:57 -0000	1.264
+++ Src/utils.c	3 Dec 2011 22:51:19 -0000
@@ -3959,7 +3959,7 @@ metafy(char *buf, int len, int heap)
 	    if (imeta(*e++))
 		meta++;
 
-    if (meta || heap == META_DUP || heap == META_HEAPDUP) {
+    if (meta || heap == META_DUP || heap == META_HEAPDUP || *e != '\0') {
 	switch (heap) {
 	case META_REALLOC:
 	    buf = zrealloc(buf, len + meta + 1);
@@ -4002,8 +4002,8 @@ metafy(char *buf, int len, int heap)
 		meta--;
 	    }
 	}
+	*e = '\0';
     }
-    *e = '\0';
     return buf;
 }
 
-- 
Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx>
Web page now at http://homepage.ntlworld.com/p.w.stephenson/