Re: Complex config triggering Segfault in pattern matching code.

[Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx>]

Peter Stephenson wrote on Thu, Dec 18, 2014 at 19:09:24 +0000:
> @@ -450,10 +451,15 @@ set_region_highlight(UNUSED(Param pm), char **aval)
>      len = aval ? arrlen(aval) : 0;
>      if (n_region_highlights != len + N_SPECIAL_HIGHLIGHTS) {
>  	/* no null termination, but include special highlighting at start */
> -	n_region_highlights = len + N_SPECIAL_HIGHLIGHTS;
> +	int newsize = len + N_SPECIAL_HIGHLIGHTS
> +	int diffsize = newsize - n_region_highlights;
>  	region_highlights = (struct region_highlight *)
>  	    zrealloc(region_highlights,
> -		     sizeof(struct region_highlight) * n_region_highlights);
> +		     sizeof(struct region_highlight) * newsize);
> +	if (diffsize > 0)
> +	    memset(region_highlights + newsize, 0,
> +		   sizeof(struct region_highlight) * diffsize);
> +	n_region_highlights = newsize;
>      }
>  

The arguments to memset() are wrong:

diff --git a/Src/Zle/zle_refresh.c b/Src/Zle/zle_refresh.c
index c146e46..fe33799 100644
--- a/Src/Zle/zle_refresh.c
+++ b/Src/Zle/zle_refresh.c
@@ -457,7 +457,7 @@ set_region_highlight(UNUSED(Param pm), char **aval)
 	    zrealloc(region_highlights,
 		     sizeof(struct region_highlight) * newsize);
 	if (diffsize > 0)
-	    memset(region_highlights + newsize, 0,
+	    memset(region_highlights + newsize - diffsize, 0,
 		   sizeof(struct region_highlight) * diffsize);
 	n_region_highlights = newsize;
     }

(Found via glibc's "glibc detected memory corruption" runtime check.)

Cheers,

Daniel

>      if (!aval)
> 
> -- 
> Peter Stephenson <p.w.stephenson@xxxxxxxxxxxx>
> Web page now at http://homepage.ntlworld.com/p.w.stephenson/