From 2c13d9fb0da0ec513e577c2589ec545df665326e Mon Sep 17 00:00:00 2001
From: "Barton E. Schaefer" <schaefer@zsh.org>
Date: Sat, 14 Feb 2015 10:43:10 -0800
Subject: 34543: Prevent crash on garbage bytes inside $(...)

Garbage input (nul bytes, etc.) can cause the $(...) parser to become
confused during look-ahead and attempt to back up the input too far.
This commit catches the error but does not fix the underlying cause.
---
 Src/input.c | 6 ++++--
 Src/lex.c   | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

(limited to 'Src')

diff --git a/Src/input.c b/Src/input.c
index 2ecac7bdc..9520fdd6d 100644
--- a/Src/input.c
+++ b/Src/input.c
@@ -393,12 +393,14 @@ inungetc(int c)
 	    if (((inbufflags & INP_LINENO) || !strin) && c == '\n')
 		lineno--;
 	}
-#ifdef DEBUG
         else if (!(inbufflags & INP_CONT)) {
+#ifdef DEBUG
 	    /* Just for debugging */
 	    fprintf(stderr, "Attempt to inungetc() at start of input.\n");
-	}
 #endif
+	    zerr("Garbled input at %c (binary file as commands?)", c);
+	    return;
+	}
 	else {
 	    /*
 	     * The character is being backed up from a previous input stack
diff --git a/Src/lex.c b/Src/lex.c
index 433c27fbb..91628d4c2 100644
--- a/Src/lex.c
+++ b/Src/lex.c
@@ -503,13 +503,15 @@ cmd_or_math(int cs_type)
     /* else unsuccessful: unget the whole thing */
     hungetc(c);
     lexstop = 0;
-    while (lexbuf.len > oldlen) {
+    while (lexbuf.len > oldlen && !errflag) {
 	lexbuf.len--;
 	hungetc(itok(*--lexbuf.ptr) ?
 		ztokens[*lexbuf.ptr - Pound] : *lexbuf.ptr);
     }
+    if (errflag)
+	return 2;
     hungetc('(');
-    return 0;
+    return errflag ? 2 : 0;
 }
 
 
-- 
cgit 1.4.1