Re: zsh malloc/heap corruption

[Mikael Magnusson <mikachu@xxxxxxxxx>]

On Sun, Sep 28, 2025 at 7:19 PM Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx> wrote:
>
> On Sat, Sep 27, 2025 at 8:56 PM Anthony Heading <ajrh@xxxxxxxx> wrote:
> >
> > Is it useful if I work on a better testcase with this new understanding,
> > or does that one stack trace tell you all that's needed?
>
> The key seems to be this bit:
>
> #15 _int_malloc (av=av@entry=0x7987fd603ac0 <main_arena>, bytes=bytes@entry=88)
>     at ./malloc/malloc.c:4410
> #16 0x00007987fd4ae931 in __libc_calloc (n=n@entry=88,
>     elem_size=elem_size@entry=1) at ./malloc/malloc.c:3754
> #17 0x00007987fd502cbd in create_cd_newstate (hash=23, context=0,
>     nodes=0x7fff8941f760, dfa=0x5b93559c14e0) at ./posix/regex_internal.c:1687
> #18 re_acquire_state_context (context=0, nodes=0x7fff8941f760,
>     dfa=0x5b93559c14e0, err=0x7fff8941f75c) at ./posix/regex_internal.c:1562
> #19 build_trtable (dfa=0x5b93559c14e0, state=state@entry=0x5b93559be5a0)
>     at ./posix/regexec.c:3331
> #20 0x00007987fd507154 in transit_state (state=0x5b93559be5a0,
>     mctx=0x7fff894241a0, err=0x7fff894240bc) at ./posix/regexec.c:2257
> #21 check_matching (p_match_first=<optimized out>, fl_longest_match=true,
>     mctx=0x7fff894241a0) at ./posix/regexec.c:1120
> #22 re_search_internal (preg=preg@entry=0x7fff894243f0,
>     string=string@entry=0x5b93559babc0 "+main_task:3> pwd", length=17,
>     start=<optimized out>, last_start=<optimized out>, stop=<optimized out>,
>     nmatch=1, pmatch=0x5b93559b5110, eflags=0) at ./posix/regexec.c:792
>
> The POSIX regex library is directly calling calloc(), which lacks the
> signal protection in the wrappers zsh uses for all its own memory
> allocation.
>
> The following should fix it, at the cost of possibly slowing down some
> regular expression matches a little.
>
> diff --git a/Src/Modules/regex.c b/Src/Modules/regex.c
> index d02769ef0..cd11b16d7 100644
> --- a/Src/Modules/regex.c
> +++ b/Src/Modules/regex.c
> @@ -74,7 +74,9 @@ zcond_regex_match(char **a, int id)
>         rcflags |= REG_EXTENDED;
>         if (!isset(CASEMATCH))
>             rcflags |= REG_ICASE;
> +       queue_signals();
>         r = regcomp(&re, rhre, rcflags);
> +       unqueue_signals();
>         if (r) {
>             zregex_regerrwarn(r, &re, "failed to compile regex");
>             break;
> @@ -89,7 +91,9 @@ zcond_regex_match(char **a, int id)
>         }
>         matchessz = (re.re_nsub + 1) * sizeof(regmatch_t);
>         matches = zalloc(matchessz);
> +       queue_signals();
>         r = regexec(&re, lhstr, re.re_nsub+1, matches, reflags);
> +       unqueue_signals();
>         if (r == REG_NOMATCH)
>             ; /* We do nothing when we fail to match. */
>         else if (r == 0) {
>

Is regfree() later on safe?

-- 
Mikael Magnusson