49870: Fix NULL reference in match code more

This reverts "49658: Fix NULL reference in match code." and adds a check
inside the block, as well as a failsafe check at the end.

The above commit (49658) causes a crash due to ll being calculated as
0 which leads to rr being an invalid pointer. Only adding a check for
when ll is 0 just leads to bck-i-search pattern not working at all (the
final hunk).  Restoring the condition and adding an explicit NULL check
for replstr seems to make matters work as intended.

2 files changed, 8 insertions, 2 deletions

diff --git a/ChangeLog b/ChangeLog
index 4b02f3bc8..3b7cc4921 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -13,6 +13,8 @@
 	* 49915: Src/Zle/comp.h, Src/Zle/compcore.c: Efficient dedup
 	for unsorted completions
 
+	* 49870: Src/glob.c: Fix NULL reference in match code more
+
 2022-03-29  Bart Schaefer  <schaefer@zsh.org>
 
 	* 49918: NEWS, README: Update for 49917 and 49911.
diff --git a/Src/glob.c b/Src/glob.c
index 375671cea..349862531 100644
--- a/Src/glob.c
+++ b/Src/glob.c
@@ -2549,7 +2549,7 @@ get_match_ret(Imatchdata imd, int b, int e)
     e += add;
 
     /* Everything now refers to metafied lengths. */
-    if (replstr) {
+    if (replstr || (fl & SUB_LIST)) {
 	if (fl & SUB_DOSUBST) {
 	    replstr = dupstring(replstr);
 	    singsub(&replstr);
@@ -2568,7 +2568,8 @@ get_match_ret(Imatchdata imd, int b, int e)
 		addlinknode(imd->repllist, rd);
 	    return imd->mstr;
 	}
-	ll += strlen(replstr);
+	if (replstr)
+	    ll += strlen(replstr);
     }
     if (fl & SUB_MATCH)			/* matched portion */
 	ll += 1 + (e - b);
@@ -2594,6 +2595,9 @@ get_match_ret(Imatchdata imd, int b, int e)
     if (bl)
 	buf[bl - 1] = '\0';
 
+    if (ll == 0)
+	return NULL;
+
     rr = r = (char *) hcalloc(ll);
 
     if (fl & SUB_MATCH) {