[Pkg-zsh-devel] Bug#882373: zsh -n: null pointer dereference in paramsubst()

Jakub Wilk jwilk at jwilk.net
Tue Nov 21 21:29:06 UTC 2017 

Package: zsh
Version: 5.4.2-2

zsh crashes when checking syntax of the attached file:

   $ zsh -n nullptr.sh
   Segmentation fault

GDB says that it's a null pointer dereference:

   Program received signal SIGSEGV, Segmentation fault.
   0x565e1443 in paramsubst (ret_flags=<optimized out>, pf_flags=<optimized out>, qt=<optimized out>, str=0xffffbb74, n=<optimized out>, l=<optimized out>) at ../../Src/subst.c:3223
   3223                        if (*check_offset2 && *check_offset2 != ':') {
   (gdb) print check_offset2
   $2 = 0x0
   (gdb) bt
   #0  0x565e1443 in paramsubst (ret_flags=<optimized out>, pf_flags=<optimized out>, qt=<optimized out>, str=0xffffbb74, n=<optimized out>, l=<optimized out>) at ../../Src/subst.c:3223
   #1  stringsubst (list=list at entry=0xffffbd70, node=<optimized out>, pf_flags=<optimized out>, pf_flags at entry=0, ret_flags=<optimized out>, asssub=<optimized out>) at ../../Src/subst.c:247
   #2  0x565e1649 in prefork (list=0xffffbd70, flags=0, ret_flags=0xffffbcb4) at ../../Src/subst.c:85
   #3  0x5657aaea in execcmd_getargs (preargs=preargs at entry=0xf7fcd4b0, args=args at entry=0xf7fcd488, expand=<optimized out>) at ../../Src/exec.c:2676
   #4  0x5657f00a in execcmd_exec (state=state at entry=0xffffd430, eparams=eparams at entry=0xffffd05c, input=input at entry=0, output=0, how=<optimized out>, last1=2) at ../../Src/exec.c:2782 #5  0x565826ca in execpline2 (state=state at entry=0xffffd430, pcode=<optimized out>, how=how at entry=18, input=0, output=0, last1=0) at ../../Src/exec.c:1887
   #6  0x56582ac0 in execpline (state=state at entry=0xffffd430, slcode=<optimized out>, how=how at entry=18, last1=0) at ../../Src/exec.c:1616
   #7  0x565840c1 in execlist (state=0xffffd430, dont_change_job=0, exiting=0) at ../../Src/exec.c:1371
   #8  0x565846e2 in execode (p=0xf7fcd438, dont_change_job=0, exiting=0, context=0x565f55c1 "toplevel") at ../../Src/exec.c:1152
   #9  0x5659a45b in loop (toplevel=1, justonce=0) at ../../Src/init.c:208
   #10 0x5659d9d2 in zsh_main (argc=3, argv=0xffffd754) at ../../Src/init.c:1692
   #11 0x56564ac7 in main (argc=3, argv=0xffffd754) at ../../Src/main.c:93


-- System Information:
Architecture: i386

Versions of packages zsh depends on:
ii  zsh-common  5.4.2-2
ii  libc6       2.25-1
ii  libcap2     1:2.25-1.1
ii  libtinfo5   6.0+20170902-1

Versions of packages zsh recommends:
ii  libncursesw5  6.0+20170902-1
ii  libpcre3      2:8.39-5

-- 
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nullptr.sh
Type: application/x-sh
Size: 11 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-zsh-devel/attachments/20171121/fd4b9dfb/attachment.sh>

More information about the Pkg-zsh-devel mailing list