Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fixed crash with :exe "normal \<C-V>876543210>" #1945

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fixed crash with :exe "normal \<C-V>876543210>" #1945

wants to merge 1 commit into from

Conversation

@dpelle
Copy link
Member

@dpelle dpelle commented Aug 6, 2017

This PR fixes a multiplication followed by a crash, found by afl-fuzz:

$ cat > shift-crash.vim <<EOF
normal ii
exe "normal \<C-V>876543210>"
EOF

$ vim -u NONE -S shift-crash.vim
Vim: Caught deadly signal SEGV
Vim: preserving files...
Vim: Finished.
Segmentation fault (core dumped)

ubsan points to a multiplication overflow which results
in a negative shift count:

ops.c:399:11: runtime error: signed integer overflow: 876543210 * 8 cannot be represented in type 'int'

And asan shows that memset was called with a negative size as result:

=================================================================
==17674==ERROR: AddressSanitizer: negative-size-param: (size=-197198612)
    #0 0x7fda2462bc69 in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cc69)
    #1 0x60f98d in shift_block /home/pel/sb/vim/src/ops.c:451
    #2 0x60e95b in op_shift /home/pel/sb/vim/src/ops.c:244
    #3 0x5ee93e in do_pending_operator /home/pel/sb/vim/src/normal.c:1842
    #4 0x5eb1e6 in normal_cmd /home/pel/sb/vim/src/normal.c:1183
    #5 0x4efefd in exec_normal /home/pel/sb/vim/src/ex_docmd.c:10415
    #6 0x4efea6 in exec_normal_cmd /home/pel/sb/vim/src/ex_docmd.c:10398
    #7 0x4efae5 in ex_normal /home/pel/sb/vim/src/ex_docmd.c:10307
    #8 0x4d42d2 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2952
    #9 0x4cea01 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1089
    #10 0x471cbe in ex_execute /home/pel/sb/vim/src/eval.c:8365
    #11 0x4d42d2 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2952
    #12 0x4cea01 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1089
    #13 0x4cafbf in do_source /home/pel/sb/vim/src/ex_cmds2.c:4377
    #14 0x4ca106 in cmd_source /home/pel/sb/vim/src/ex_cmds2.c:3990
    #15 0x4c9fa7 in ex_source /home/pel/sb/vim/src/ex_cmds2.c:3965
    #16 0x4d42d2 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2952
    #17 0x4cea01 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1089
    #18 0x4cdd9f in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:689
    #19 0x8644f4 in exe_commands /home/pel/sb/vim/src/main.c:2968
    #20 0x85ea2d in vim_main2 /home/pel/sb/vim/src/main.c:805
    #21 0x85e25b in main /home/pel/sb/vim/src/main.c:419
    #22 0x7fda2150682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #23 0x408058 in _start (/home/pel/sb/vim/src/vim+0x408058)

0x7fd928501800 is located 0 bytes inside of 4097768684-byte region [0x7fd928501800,0x7fda1c8f14ec)
allocated by thread T0 here:
    #0 0x7fda24637602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x5c2a22 in lalloc /home/pel/sb/vim/src/misc2.c:942
    #2 0x5c297c in alloc_check /home/pel/sb/vim/src/misc2.c:885
    #3 0x60f8d5 in shift_block /home/pel/sb/vim/src/ops.c:448
    #4 0x60e95b in op_shift /home/pel/sb/vim/src/ops.c:244
    #5 0x5ee93e in do_pending_operator /home/pel/sb/vim/src/normal.c:1842
    #6 0x5eb1e6 in normal_cmd /home/pel/sb/vim/src/normal.c:1183
    #7 0x4efefd in exec_normal /home/pel/sb/vim/src/ex_docmd.c:10415
    #8 0x4efea6 in exec_normal_cmd /home/pel/sb/vim/src/ex_docmd.c:10398
    #9 0x4efae5 in ex_normal /home/pel/sb/vim/src/ex_docmd.c:10307
    #10 0x4d42d2 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2952
    #11 0x4cea01 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1089
    #12 0x471cbe in ex_execute /home/pel/sb/vim/src/eval.c:8365
    #13 0x4d42d2 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2952
    #14 0x4cea01 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1089
    #15 0x4cafbf in do_source /home/pel/sb/vim/src/ex_cmds2.c:4377
    #16 0x4ca106 in cmd_source /home/pel/sb/vim/src/ex_cmds2.c:3990
    #17 0x4c9fa7 in ex_source /home/pel/sb/vim/src/ex_cmds2.c:3965
    #18 0x4d42d2 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2952
    #19 0x4cea01 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1089
    #20 0x4cdd9f in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:689
    #21 0x8644f4 in exe_commands /home/pel/sb/vim/src/main.c:2968
    #22 0x85ea2d in vim_main2 /home/pel/sb/vim/src/main.c:805
    #23 0x85e25b in main /home/pel/sb/vim/src/main.c:419
    #24 0x7fda2150682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memset
==17674==ABORTING

@codecov-io
Copy link

codecov-io commented Aug 6, 2017
edited
Loading

Codecov Report

Merging #1945 into master will increase coverage by <.01%.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1945      +/-   ##
==========================================
+ Coverage   75.08%   75.08%   +<.01%     
==========================================
  Files          76       76              
  Lines      125316   125277      -39     
==========================================
- Hits        94091    94064      -27     
+ Misses      31225    31213      -12
Impacted Files Coverage Δ
src/ops.c 78.65% <100%> (+0.01%) ⬆️
src/if_py_both.h 75.36% <0%> (-0.72%) ⬇️
src/channel.c 83.88% <0%> (+0.04%) ⬆️
src/message.c 68.35% <0%> (+0.05%) ⬆️
src/gui_gtk_x11.c 47.6% <0%> (+0.05%) ⬆️
src/gui.c 45.58% <0%> (+0.05%) ⬆️
src/term.c 52.99% <0%> (+0.05%) ⬆️
src/window.c 81.43% <0%> (+0.09%) ⬆️
src/os_unix.c 57.06% <0%> (+0.38%) ⬆️
src/if_xcmdsrv.c 84.25% <0%> (+0.74%) ⬆️
... and 1 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 39d21e3...1ed18f0. Read the comment docs.

@brammool brammool closed this in bae5a17 Aug 6, 2017
janlazo added a commit to janlazo/neovim that referenced this pull request Jul 14, 2018
@janlazo
vim-patch:8.0.0879: crash when shifting with huge number
d7eb7e3 
Problem:    Crash when shifting with huge number.
Solution:   Check for overflow. (Dominique Pelle, closes vim/vim#1945)
vim/vim@bae5a17
@janlazo janlazo mentioned this pull request Jul 14, 2018
Merged
janlazo added a commit to janlazo/neovim that referenced this pull request Jul 14, 2018
@janlazo
vim-patch:8.0.0879: crash when shifting with huge number
1bc9d84 
Problem:    Crash when shifting with huge number.
Solution:   Check for overflow. (Dominique Pelle, closes vim/vim#1945)
vim/vim@bae5a17
janlazo added a commit to janlazo/neovim that referenced this pull request Jul 14, 2018
@janlazo
vim-patch:8.0.0879: crash when shifting with huge number
02eb07a 
Problem:    Crash when shifting with huge number.
Solution:   Check for overflow. (Dominique Pelle, closes vim/vim#1945)
vim/vim@bae5a17
janlazo added a commit to janlazo/neovim that referenced this pull request Jul 14, 2018
@janlazo
vim-patch:8.0.0879: crash when shifting with huge number
4ebeffa 
Problem:    Crash when shifting with huge number.
Solution:   Check for overflow. (Dominique Pelle, closes vim/vim#1945)
vim/vim@bae5a17
janlazo added a commit to janlazo/neovim that referenced this pull request Jul 21, 2018
@janlazo
vim-patch:8.0.0879: crash when shifting with huge number
4542024 
Problem:    Crash when shifting with huge number.
Solution:   Check for overflow. (Dominique Pelle, closes vim/vim#1945)
vim/vim@bae5a17
janlazo added a commit to janlazo/neovim that referenced this pull request Aug 1, 2018
@janlazo
vim-patch:8.0.0879: crash when shifting with huge number
f560cf0 
Problem:    Crash when shifting with huge number.
Solution:   Check for overflow. (Dominique Pelle, closes vim/vim#1945)
vim/vim@bae5a17
janlazo added a commit to janlazo/neovim that referenced this pull request Aug 7, 2018
@janlazo
vim-patch:8.0.0879: crash when shifting with huge number
7f2e352 
Problem:    Crash when shifting with huge number.
Solution:   Check for overflow. (Dominique Pelle, closes vim/vim#1945)
vim/vim@bae5a17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dpelle @codecov-io