Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fixed crash with invalid value of 'guicursor' #1465

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fixed crash with invalid value of 'guicursor' #1465

wants to merge 1 commit into from

Conversation

@dpelle
Copy link
Member

@dpelle dpelle commented Feb 11, 2017

Vim-8.0.325 and older crashes with this command:

$ vim -u NONE -c 'set guicursor=i-ci,r-cr:h'
Vim: Caught deadly signal SEGV
Vim: Finished.
Segmentation fault (core dumped)

Beware: the command not only crashes Vim but also freezes my computer
for several seconds, as Vim allocates a huge amount of memory.

Address sanitizer gives this error:

=================================================================
==15207==ERROR: AddressSanitizer: negative-size-param: (size=-6)
    #0 0x497093 in strncpy ??:?
    #1 0x8709bb in vim_strnsave /home/pel/sb/vim/src/misc2.c:1305
    #2 0xb6c36a in syn_check_group /home/pel/sb/vim/src/syntax.c:9424
    #3 0x87ce1a in parse_shape_opt /home/pel/sb/vim/src/misc2.c:3634
    #4 0x9681e1 in did_set_string_option /home/pel/sb/vim/src/option.c:6734
    #5 0x952538 in do_set /home/pel/sb/vim/src/option.c:5006
    #6 0x6fc44c in ex_set /home/pel/sb/vim/src/ex_docmd.c:12223
    #7 0x6c766c in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2981
    #8 0x6b66e4 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1120
    #9 0x6b9e15 in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:720
    #10 0xce2b9d in exe_commands /home/pel/sb/vim/src/main.c:2905
    #11 0xcdf65b in vim_main2 /home/pel/sb/vim/src/main.c:781
    #12 0xcd8440 in main /home/pel/sb/vim/src/main.c:415
    #13 0x7f3ab0993f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #14 0x4466db in _start ??:?

0x7f39ab415800 is located 0 bytes inside of 4294967291-byte region [0x7f39ab415800,0x7f3aab4157fb)
allocated by thread T0 here:
    #0 0x50a086 in malloc ??:?
    #1 0x86f858 in lalloc /home/pel/sb/vim/src/misc2.c:942
    #2 0x86f7a7 in alloc /home/pel/sb/vim/src/misc2.c:840
    #3 0x87099b in vim_strnsave /home/pel/sb/vim/src/misc2.c:1302
    #4 0xb6c36a in syn_check_group /home/pel/sb/vim/src/syntax.c:9424
    #5 0x87ce1a in parse_shape_opt /home/pel/sb/vim/src/misc2.c:3634
    #6 0x9681e1 in did_set_string_option /home/pel/sb/vim/src/option.c:6734
    #7 0x952538 in do_set /home/pel/sb/vim/src/option.c:5006
    #8 0x6fc44c in ex_set /home/pel/sb/vim/src/ex_docmd.c:12223
    #9 0x6c766c in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2981
    #10 0x6b66e4 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1120
    #11 0x6b9e15 in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:720
    #12 0xce2b9d in exe_commands /home/pel/sb/vim/src/main.c:2905
    #13 0xcdf65b in vim_main2 /home/pel/sb/vim/src/main.c:781
    #14 0xcd8440 in main /home/pel/sb/vim/src/main.c:415
    #15 0x7f3ab0993f44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: negative-size-param (/home/pel/sb/vim/src/vim+0x497093)
==15207==ABORTING

Code at misc2.c:

  3632         if (round == 2) 
  3633         {
  3634             shape_table[idx].id = syn_check_group(p, 
!!3635                                          (int)(endp - p));
  3636             shape_table[idx].id_lm = shape_table[idx].id;

At line 3635, (end - p) is negative, which causes to allocate a negative
number of bytes i.e. a huge number of bytes in vim_strsave().

At misc2.c, we have:

     p="h"
     endp=",r-cr:h"

Bug was found using afl-fuzz.

This PR fixes the bug and adds tests which triggers the crash prior to the fix.

@brammool brammool closed this in 24922ec Feb 23, 2017
chrisbra pushed a commit to chrisbra/vim that referenced this pull request Mar 25, 2017
@brammool @chrisbra
patch 8.0.0357: crash when setting 'guicursor' to weird value
efa9b35 
Problem:    Crash when setting 'guicursor' to weird value.
Solution:   Avoid negative size. (Dominique Pelle, closes vim#1465)
desvp pushed a commit to desvp/vim that referenced this pull request May 30, 2017
@brammool @desvp
patch 8.0.0357: crash when setting 'guicursor' to weird value
4d07461 
Problem:    Crash when setting 'guicursor' to weird value.
Solution:   Avoid negative size. (Dominique Pelle, closes vim#1465)
@ckelsel ckelsel mentioned this pull request Mar 22, 2018
Merged
justinmk pushed a commit to neovim/neovim that referenced this pull request Mar 22, 2018
@ckelsel @justinmk
vim-patch:8.0.0357: crash when setting 'guicursor' to weird value (#8161
ce3bc12 
)

Problem:    Crash when setting 'guicursor' to weird value.
Solution:   Avoid negative size. (Dominique Pelle, closes vim/vim#1465)
vim/vim@24922ec
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dpelle