Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
Re: [BUG] Zsh crashes when using autocomplete because of memory unsafety (double free)
- X-seq: zsh-workers 46163
- From: Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>
- To: "zsh-workers@xxxxxxx" <zsh-workers@xxxxxxx>
- Subject: Re: [BUG] Zsh crashes when using autocomplete because of memory unsafety (double free)
- Date: Sun, 28 Jun 2020 12:27:29 -0700
- In-reply-to: <CAH+w=7YVxqB5-TSO8QNvJajjv_MxnmWijd9PX=wkzXNu-GKGmg@mail.gmail.com>
- List-help: <mailto:zsh-workers-help@zsh.org>
- List-id: Zsh Workers List <zsh-workers.zsh.org>
- List-post: <mailto:zsh-workers@zsh.org>
- List-unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
- Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
- References: <00cb28e8-004e-2c8c-e02d-6063f4079c1d@soptik.tech> <20200626162405.4a7d28c1@tarpaulin.shahaf.local2> <CAH+w=7YVxqB5-TSO8QNvJajjv_MxnmWijd9PX=wkzXNu-GKGmg@mail.gmail.com>
- Sender: zsh-workers@xxxxxxx
On Sun, Jun 28, 2020 at 12:09 AM Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>
wrote:
>
> % autoload compinit
> % compinit -D
> % setopt completeinword
> % alias a='"<left><TAB>
>
> I think it has to do with
> compset -P 1 '*='
> compset -q
>
> So, what's happening is that a=' turns into a=\"
>
Just to clarify, you can actually watch this happening in gdb if you set a
watchpoint on "offs" and step through a few instructions.
toltec-ubuntu% alias a='"
Hardware watchpoint 1: offs
Old value = 3
New value = 2
get_comp_string () at zle_tricky.c:1883
1883 if (*p == Snull && isset(RCQUOTES))
(gdb) p p
$24 = 0x865592 "\235\""
(gdb) p zlemetaline
$25 = 0x8b7a40 "alias a='\""
(gdb) n
1885 if (p[1] || *p != Bnull) {
(gdb) n
1886 if (*p == Bnull) {
(gdb)
1890 ocs = zlemetacs;
(gdb)
1891 zlemetacs = i;
(gdb) p ocs
$26 = 9
(gdb) n
1892 foredel(skipchars, CUT_RAW);
(gdb) n
1893 if ((zlemetacs = ocs) > --i) {
(gdb) p skipchars
$27 = 1
(gdb) p zlemetaline
$28 = 0x8b7a40 "alias a=\""
(gdb) where 2
#0 get_comp_string () at zle_tricky.c:1893
#1 0x0000000000545b5c in docomplete (lst=4) at zle_tricky.c:664
> and consequently increases the offset by one, but then
>
I think this diagnosis is wrong -- it's not that the offset is increased,
it's that zlemetaline is shortened (by removal of the single quote).
The end result is the same, though -- the start of the word is calculated
by subtracting the offset from the current position, and the resulting
index is off the left end.
Having gotten that far, though, I don't know how to fix it.
>
The following may do it? Completion tests still pass. Without the change:
% autoload compinit zed
% compinit -D
% zstyle \* format %d
% alias a='<TAB>
% alias a=
With this change the vanishing quote mark no longer vanishes and a
description appears:
% autoload compinit zed
% compinit -D
% zstyle \* format %d
% alias a='<TAB>
`alias definition', `regular alias', `global alias', or `suffix alias'
alias definition
% alias a='
And the crash no longer happens when something appears after the single
quote.
I note that offs gets changed in the loop in an outer "else"-branch when
foredel/backdel are not called, too. However, I'm not certain that the
edit should appear in BOTH hunks below. Can anyone find any other test
cases that pass through this code?
diff --git a/Src/Zle/zle_tricky.c b/Src/Zle/zle_tricky.c
index fdd1687..2c24a13 100644
--- a/Src/Zle/zle_tricky.c
+++ b/Src/Zle/zle_tricky.c
@@ -1897,6 +1897,7 @@ get_comp_string(void)
zlemetacs = wb;
}
we -= skipchars;
+ offs -= skipchars;
}
} else {
ocs = zlemetacs;
@@ -1910,6 +1911,7 @@ get_comp_string(void)
if (wb > zlemetacs)
zlemetacs = wb;
we -= skipchars;
+ offs -= skipchars;
}
/* we need to get rid of all the quotation bits... */
while (skipchars--)
Messages sorted by:
Reverse Date,
Date,
Thread,
Author