stack overflow in patmatch()

[Mikael Magnusson <mikachu@xxxxxxxxx>]

Hi,

A user on irc reported that zsh crashes when they invoked
insert-unicode-char with zsh-syntax-highlighting.zsh [1] loaded. It
turned out they pressed space instead of invoking the widget again
after entering the unicode codepoint, which of course causes zsh to
insert however many spaces correspond to the codepoint entered, which
in this particular case was 8630 spaces (many).

Long story short, [1] has this line of code:
[[ "$proc_buf" = (#b)(#s)(([[:space:]]|\\$'\n')#) ]]

which causes this backtrace (parts elided)
(gdb) bt
#0  0x000000000049d098 in patmatch (
    prog=<error reading variable: Cannot access memory at address
0x7fffff7fef38>)
    at pattern.c:2695
#1  0x000000000049e673 in patmatch (prog=0x5073d0) at pattern.c:3252
#2  0x000000000049dd8e in patmatch (prog=0x507398) at pattern.c:2978
#3  0x000000000049e673 in patmatch (prog=0x507390) at pattern.c:3252
#4  0x000000000049dcdc in patmatch (prog=0x507388) at pattern.c:2952
#5  0x000000000049e673 in patmatch (prog=0x5073d0) at pattern.c:3252
#6  0x000000000049dd8e in patmatch (prog=0x507398) at pattern.c:2978
#7  0x000000000049e673 in patmatch (prog=0x507390) at pattern.c:3252
#8  0x000000000049dcdc in patmatch (prog=0x507388) at pattern.c:2952
...
#8179 0x000000000049e673 in patmatch (prog=0x507390) at pattern.c:3252
#8180 0x000000000049dcdc in patmatch (prog=0x507388) at pattern.c:2952
#8181 0x000000000049e673 in patmatch (prog=0x507370) at pattern.c:3252
#8182 0x000000000049dcdc in patmatch (prog=0x507358) at pattern.c:2952
#8183 0x000000000049ca21 in pattryrefs (prog=0x507320,
string=0x7ffff7fb7020 ' ' <repeats 200 times>..., stringlen=10692,
unmetalenin=-1, patstralloc=0x7fffffffcb90, patoffset=0, nump=0x0,
begp=0x0, endp=0x0) at pattern.c:2496
#8184 0x000000000049c306 in pattry (prog=0x507320,
string=0x7ffff7fb7020 ' ' <repeats 200 times>...) at pattern.c:2225
#8185 0x000000000042e1dc in evalcond (state=0x7fffffffd1b0,
fromtest=0x0) at cond.c:322
#8186 0x000000000043df20 in execcond (state=0x7fffffffd1b0, do_exec=0)
at exec.c:5246
#8187 0x000000000043244a in execsimple (state=0x7fffffffd1b0) at exec.c:1337
#8188 0x00000000004328d6 in execlist (state=0x7fffffffd1b0,
dont_change_job=0, exiting=1) at exec.c:1465
#8189 0x0000000000432106 in execode (p=0x7ffff7fcacf0,
dont_change_job=0, exiting=1, context=0x4d0c85 "cmdarg") at
exec.c:1279
#8190 0x0000000000431fd0 in execstring (s=0x7fffffffd838 "setopt
extendedglob; a=\"", ' ' <repeats 11 times>, "\"; a=\"$a$a$a\";
a=\"$a$a$a\"; a=\"$a$a$a\"; a=\"$a$a$a\"; a=\"$a$a$a\";
a=\"$a$a$a$a\"; echo $#a; [[ \"$a\" = (#b)(#s)(([[:space:]]|\\\\$n)#)
]]", dont_change_job=0, exiting=1, context=0x4d0c85 "cmdarg") at
exec.c:1245
#8191 0x000000000045bc85 in init_misc (cmd=0x7fffffffd838 "setopt
extendedglob; a=\"", ' ' <repeats 11 times>, "\"; a=\"$a$a$a\";
a=\"$a$a$a\"; a=\"$a$a$a\"; a=\"$a$a$a\"; a=\"$a$a$a\";
a=\"$a$a$a$a\"; echo $#a; [[ \"$a\" = (#b)(#s)(([[:space:]]|\\\\$n)#)
]]", zsh_name=0x7fffffffd830 "zsh") at init.c:1538
#8192 0x000000000045d215 in zsh_main (argc=3, argv=0x7fffffffd3a8) at
init.c:1919
#8193 0x0000000000410d52 in main (argc=3, argv=0x7fffffffd3a8) at ./main.c:93

Eagle-eyed readers will observe this is actually from another invocation:
gdb --args Src/zsh -fc 'setopt extendedglob; a="           ";
a="$a$a$a"; a="$a$a$a"; a="$a$a$a"; a="$a$a$a"; a="$a$a$a";
a="$a$a$a$a"; echo $#a; [[ "$a" = (#b)(#s)(([[:space:]]|\\$'\n')#) ]]'
which does not require any third party modules to reproduce the crash.

What are the thoughts here, is this an error in the z-sy-h script's
pattern, or could we improve patmatch() to at least not crash? (I have
never looked at patmatch() and would love to keep it that way).

[1] https://github.com/zsh-users/zsh-syntax-highlighting

-- 
Mikael Magnusson