Bug 1374752

Summary: zsh heredoc crash
Product: Red Hat Enterprise Linux 7 Reporter: Paulo Andrade <pandrade>
Component: zshAssignee: Kamil Dudka <kdudka>
Status: CLOSED ERRATA QA Contact: Jan Kepler <jkejda>
Severity: medium Docs Contact:
Priority: urgent    
Version: 7.1CC: dbodnarc, fkrska, isenfeld, jkejda, kdudka, mkolaja, zpytela
Target Milestone: rcKeywords: Patch, Reproducer, ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: zsh-5.0.2-26.el7 Doc Type: No Doc Update
Doc Text:
Already documented at https://bugzilla.redhat.com/1399534
 Story Points: ---
Clone Of:
: 1399534 (view as bug list) Environment:
Last Closed: 2017-08-01 20:38:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1298243, 1399534    

Description Paulo Andrade 2016-09-09 14:09:36 UTC 
Problem reported upstream at
http://www.zsh.org/mla/users/2016/msg00710.html

  A possible patch has been reported upstream as
well:

---8<---
$ gendiff zsh-5.0.2 .orig
diff -up zsh-5.0.2/Src/exec.c.orig zsh-5.0.2/Src/exec.c
--- zsh-5.0.2/Src/exec.c.orig	2016-09-06 15:10:19.394565181 -0300
+++ zsh-5.0.2/Src/exec.c	2016-09-06 15:10:36.300551444 -0300
@@ -3631,16 +3631,16 @@ gethere(char **strp, int typ)
 	*bptr++ = '\n';
     }
     *t = '\0';
+    s = dupstring(buf);
+    zfree(buf, bsiz);
     if (!qt) {
 	int ef = errflag;
 
-	parsestr(buf);
+	parsestr(s);
 
 	if (!errflag)
 	    errflag = ef;
     }
-    s = dupstring(buf);
-    zfree(buf, bsiz);
     return s;
 }
 
---8<---

  The problem is caused by mixing system malloc data
and internal zsh allocator. It does not find the Heap
associated with the pointer passed to hrealloc and
crashes when dereferencing a null pointer.

  Simple reproducer:
---8<---
#!/usr/bin/zsh

cat >> /tmp/try <<EOF
export A="$(tr '\n' ' ' <<BLDARC
content
BLDARC)"
EOF
---8<---
Comment 1 Kamil Dudka 2016-09-09 14:30:44 UTC 
Thank you for reporting the bug!

Next time please remember to report the exact NVR (Name-Version-Release) of the package you tested it with.

This bug seems to be already fixed upstream:
https://sourceforge.net/p/zsh/code/ci/c6c9f5da
Comment 17 Kamil Dudka 2017-03-13 18:53:41 UTC 
Clearing the needinfo flag.  The answer is available in bug #1431068 comment #2.
Comment 18 errata-xmlrpc 2017-08-01 20:38:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1955