Running `zsh -fc ': ${${(PAA)p[foo]}::=x}'` in current zsh versions causes: > "segmentation fault (core dumped) zsh -fc '(: ${${(PAA)p[foo]}::=x})' Also happens when testing with machabot: > 19:42 <jp> > : ${${(PAA)p[foo]}::=x} > 19:42 <machabot> jp: zsh[248]: segfault at 0 ip b7dfcda3 sp bfeb9ebc > error 4 in libc-2.13.so[b7d84000+149000] Add checks to catch NULL dereferences. Signed-off-by: Joey Pabalinas <joeypabalinas@xxxxxxxxx> 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/Src/params.c b/Src/params.c index de7730ae735a44963c..9516185015d878b553 100644 --- a/Src/params.c +++ b/Src/params.c @@ -2016,6 +2016,9 @@ fetchvalue(Value v, char **pptr, int bracks, int flags) char sav, c; int ppar = 0; + if (!*pptr) + return NULL; + s = t = *pptr; if (idigit(c = *s)) { diff --git a/Src/string.c b/Src/string.c index 9e14ef94919c3e8ec5..7ad8ca7589199e8170 100644 --- a/Src/string.c +++ b/Src/string.c @@ -144,7 +144,12 @@ dyncat(const char *s1, const char *s2) { /* This version always uses space from the current heap. */ char *ptr; - size_t l1 = strlen(s1); + size_t l1; + + if (!s1 || !s2) + return NULL; + + l1 = strlen(s1); ptr = (char *)zhalloc(l1 + strlen(s2) + 1); strcpy(ptr, s1); diff --git a/Src/subst.c b/Src/subst.c index d027e3d83cadc631a7..c423bc8433c590a89c 100644 --- a/Src/subst.c +++ b/Src/subst.c @@ -2577,7 +2577,7 @@ paramsubst(LinkList l, LinkNode n, char **str, int qt, int pf_flags, * the local value system, or we need to get rid of brackets * even if there isn't a v. */ - while (v || ((inbrace || (unset(KSHARRAYS) && vunset)) && isbrack(*s))) { + while (v || ((inbrace || (unset(KSHARRAYS) && vunset)) && s && isbrack(*s))) { if (!v) { /* * Index applied to non-existent parameter; we may or may @@ -2703,6 +2703,8 @@ paramsubst(LinkList l, LinkNode n, char **str, int qt, int pf_flags, * examine properly later on. */ if (inbrace) { + if (!s) + return NULL; c = *s; if (!IS_DASH(c) && c != '+' && c != ':' && c != '%' && c != '/' && -- 2.15.1
Attachment:
signature.asc
Description: PGP signature