lib/54178: libedit: parse_line should fail if tok_wstr fails

[jperkins+netbsd%google.com@localhost]

>Number:         54178
>Category:       lib
>Synopsis:       libedit: parse_line should fail if tok_wstr fails
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed May 08 21:15:00 +0000 2019
>Originator:     Jonathan Perkins
>Release:        Sources as of 2019/05/08
>Organization:
Google
>Environment:
>Description:
In parse.c, libedit doesn't check the return of tok_wstr:
	tok_wstr(tok, line, &argc, &argv);
	argc = el_wparse(el, argc, argv);
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libedit/parse.c?rev=1.41&content-type=text/x-cvsweb-markup&only_with_tag=MAIN

An unmatched quote causes tok_wstr to fail.  In that case, argc may be uninitialized/non-zero.  Then el_wparse is getting called with an uninitialized argc and argv, typically resulting in a segfault.

The simple fix to this is to check the return value on tok_wstr, although initializing argc to 0 may also help.
>How-To-Repeat:
1) Start a program with a libedit prompt in emacs mode.
2) "alt-x" to be able to enter bindings.
3) "'" -- enter a single, unpaired quote
>Fix:
--- old/parse.c
+++ new/parse.c
@@ -82,11 +82,13 @@ libedit_private int
 parse_line(EditLine *el, const wchar_t *line)
 {
 	const wchar_t **argv;
-	int argc;
+	int argc = 0;
 	TokenizerW *tok;
 
 	tok = tok_winit(NULL);
-	tok_wstr(tok, line, &argc, &argv);
+	if (tok_wstr(tok, line, &argc, &argv) != 0) {
+		return -1;
+	}
 	argc = el_wparse(el, argc, argv);
 	tok_wend(tok);
 	return argc;