Bug 1374752 - zsh heredoc crash
Summary: zsh heredoc crash
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: zsh
Version: 7.1
Hardware: All
OS: Linux
urgent
medium
Target Milestone: rc
: ---
Assignee: Kamil Dudka
QA Contact: Jan Kepler
URL:
Whiteboard:
Depends On:
Blocks: 1298243 1399534
TreeView+ depends on / blocked
 
Reported: 2016-09-09 14:09 UTC by Paulo Andrade
Modified: 2021-03-11 14:41 UTC (History)
7 users (show)

Fixed In Version: zsh-5.0.2-26.el7
Doc Type: No Doc Update
Doc Text:
Already documented at https://bugzilla.redhat.com/1399534
Clone Of:
: 1399534 (view as bug list)
Environment:
Last Closed: 2017-08-01 20:38:39 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2877061 0 None None None 2017-01-18 14:59:30 UTC
Red Hat Product Errata RHBA-2017:1955 0 normal SHIPPED_LIVE zsh bug fix update 2017-08-01 18:30:06 UTC

Description Paulo Andrade 2016-09-09 14:09:36 UTC 
Problem reported upstream at
http://www.zsh.org/mla/users/2016/msg00710.html

  A possible patch has been reported upstream as
well:

---8<---
$ gendiff zsh-5.0.2 .orig
diff -up zsh-5.0.2/Src/exec.c.orig zsh-5.0.2/Src/exec.c
--- zsh-5.0.2/Src/exec.c.orig	2016-09-06 15:10:19.394565181 -0300
+++ zsh-5.0.2/Src/exec.c	2016-09-06 15:10:36.300551444 -0300
@@ -3631,16 +3631,16 @@ gethere(char **strp, int typ)
 	*bptr++ = '\n';
     }
     *t = '\0';
+    s = dupstring(buf);
+    zfree(buf, bsiz);
     if (!qt) {
 	int ef = errflag;
 
-	parsestr(buf);
+	parsestr(s);
 
 	if (!errflag)
 	    errflag = ef;
     }
-    s = dupstring(buf);
-    zfree(buf, bsiz);
     return s;
 }
 
---8<---

  The problem is caused by mixing system malloc data
and internal zsh allocator. It does not find the Heap
associated with the pointer passed to hrealloc and
crashes when dereferencing a null pointer.

  Simple reproducer:
---8<---
#!/usr/bin/zsh

cat >> /tmp/try <<EOF
export A="$(tr '\n' ' ' <<BLDARC
content
BLDARC)"
EOF
---8<---
Comment 1 Kamil Dudka 2016-09-09 14:30:44 UTC 
Thank you for reporting the bug!

Next time please remember to report the exact NVR (Name-Version-Release) of the package you tested it with.

This bug seems to be already fixed upstream:
https://sourceforge.net/p/zsh/code/ci/c6c9f5da
Comment 17 Kamil Dudka 2017-03-13 18:53:41 UTC 
Clearing the needinfo flag.  The answer is available in bug #1431068 comment #2.
Comment 18 errata-xmlrpc 2017-08-01 20:38:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1955
Note You need to log in before you can comment on or make changes to this bug.