Bug#882373: zsh -n: null pointer dereference in paramsubst()

Tue, 21 Nov 2017 13:39:06 -0800 

Package: zsh
Version: 5.4.2-2

zsh crashes when checking syntax of the attached file:

  $ zsh -n nullptr.sh
  Segmentation fault

GDB says that it's a null pointer dereference:

  Program received signal SIGSEGV, Segmentation fault.
  0x565e1443 in paramsubst (ret_flags=<optimized out>, pf_flags=<optimized out>, qt=<optimized 
out>, str=0xffffbb74, n=<optimized out>, l=<optimized out>) at ../../Src/subst.c:3223
  3223                        if (*check_offset2 && *check_offset2 != ':') {
  (gdb) print check_offset2
  $2 = 0x0
  (gdb) bt
  #0  0x565e1443 in paramsubst (ret_flags=<optimized out>, pf_flags=<optimized out>, 
qt=<optimized out>, str=0xffffbb74, n=<optimized out>, l=<optimized out>) at 
../../Src/subst.c:3223
  #1  stringsubst (list=list@entry=0xffffbd70, node=<optimized out>, pf_flags=<optimized 
out>, pf_flags@entry=0, ret_flags=<optimized out>, asssub=<optimized out>) at 
../../Src/subst.c:247
  #2  0x565e1649 in prefork (list=0xffffbd70, flags=0, ret_flags=0xffffbcb4) at 
../../Src/subst.c:85
  #3  0x5657aaea in execcmd_getargs (preargs=preargs@entry=0xf7fcd4b0, 
args=args@entry=0xf7fcd488, expand=<optimized out>) at ../../Src/exec.c:2676
  #4  0x5657f00a in execcmd_exec (state=state@entry=0xffffd430, 
eparams=eparams@entry=0xffffd05c, input=input@entry=0, output=0, how=<optimized out>, 
last1=2) at ../../Src/exec.c:2782 #5  0x565826ca in execpline2 
(state=state@entry=0xffffd430, pcode=<optimized out>, how=how@entry=18, input=0, 
output=0, last1=0) at ../../Src/exec.c:1887
  #6  0x56582ac0 in execpline (state=state@entry=0xffffd430, slcode=<optimized 
out>, how=how@entry=18, last1=0) at ../../Src/exec.c:1616
  #7  0x565840c1 in execlist (state=0xffffd430, dont_change_job=0, exiting=0) 
at ../../Src/exec.c:1371
  #8  0x565846e2 in execode (p=0xf7fcd438, dont_change_job=0, exiting=0, 
context=0x565f55c1 "toplevel") at ../../Src/exec.c:1152
  #9  0x5659a45b in loop (toplevel=1, justonce=0) at ../../Src/init.c:208
  #10 0x5659d9d2 in zsh_main (argc=3, argv=0xffffd754) at ../../Src/init.c:1692
  #11 0x56564ac7 in main (argc=3, argv=0xffffd754) at ../../Src/main.c:93


-- System Information:
Architecture: i386

Versions of packages zsh depends on:
ii  zsh-common  5.4.2-2
ii  libc6       2.25-1
ii  libcap2     1:2.25-1.1
ii  libtinfo5   6.0+20170902-1

Versions of packages zsh recommends:
ii  libncursesw5  6.0+20170902-1
ii  libpcre3      2:8.39-5

--
Jakub Wilk

Attachment: nullptr.sh
Description: Bourne shell script

Reply via email to