From 3bf95b91f0cd378c1a4e9c611a51cb9fe0e2ffcd Mon Sep 17 00:00:00 2001 From: Mikael Magnusson Date: Sat, 19 Mar 2022 01:20:57 +0100 Subject: [PATCH] 49870: Fix NULL reference in match code more This reverts "49658: Fix NULL reference in match code." and adds a check inside the block, as well as a failsafe check at the end. The above commit (49658) causes a crash due to ll being calculated as 0 which leads to rr being an invalid pointer. Only adding a check for when ll is 0 just leads to bck-i-search pattern not working at all (the final hunk). Restoring the condition and adding an explicit NULL check for replstr seems to make matters work as intended. --- ChangeLog | 2 ++ Src/glob.c | 8 ++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 4b02f3bc8..3b7cc4921 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,8 @@ * 49915: Src/Zle/comp.h, Src/Zle/compcore.c: Efficient dedup for unsorted completions + * 49870: Src/glob.c: Fix NULL reference in match code more + 2022-03-29 Bart Schaefer * 49918: NEWS, README: Update for 49917 and 49911. diff --git a/Src/glob.c b/Src/glob.c index 375671cea..349862531 100644 --- a/Src/glob.c +++ b/Src/glob.c @@ -2549,7 +2549,7 @@ get_match_ret(Imatchdata imd, int b, int e) e += add; /* Everything now refers to metafied lengths. */ - if (replstr) { + if (replstr || (fl & SUB_LIST)) { if (fl & SUB_DOSUBST) { replstr = dupstring(replstr); singsub(&replstr); @@ -2568,7 +2568,8 @@ get_match_ret(Imatchdata imd, int b, int e) addlinknode(imd->repllist, rd); return imd->mstr; } - ll += strlen(replstr); + if (replstr) + ll += strlen(replstr); } if (fl & SUB_MATCH) /* matched portion */ ll += 1 + (e - b); @@ -2594,6 +2595,9 @@ get_match_ret(Imatchdata imd, int b, int e) if (bl) buf[bl - 1] = '\0'; + if (ll == 0) + return NULL; + rr = r = (char *) hcalloc(ll); if (fl & SUB_MATCH) {