severity 964358 grave affects 964358 php-cli Package: libedit2 Version: 3.1-20181209-1
#964358 crash is also affecting packaged programs that link to libedit, such as php-cli. Steps to reproduce: php -r 'echo str_repeat("a", 2000);' Copy the output Run php -a Paste the above It seems to differ based on the terminal size, with 100 columns it seems to be about 1500 characters. Enlarging a few columns it may move to 1800, etc. Running under gdb, the limit seems to increase, too, but it's nevertheless reproducible. Using the symbols from php7.3-cli-dbgsym and libedit2-dbgsym: (...) Program received signal SIGSEGV, Segmentation fault. re__copy_and_pad (width=100, src=<optimized out>, dst=0x4 <error: Cannot access memory at address 0x4>) at refresh.c:1018 1018 refresh.c: No such file or directory. (gdb) bt #0 re__copy_and_pad (width=100, src=<optimized out>, dst=0x4 <error: Cannot access memory at address 0x4>) at refresh.c:1018 #1 re_fastputc (el=el@entry=0x555555b1a210, c=c@entry=97) at refresh.c:1129 #2 0x00007ffff4aac353 in re_fastaddc (el=el@entry=0x555555b1a210) at refresh.c:1171 #3 0x00007ffff4aa3d02 in ed_insert (el=0x555555b1a210, c=97) at common.c:96 #4 0x00007ffff4aaa792 in el_wgets (el=el@entry=0x555555b1a210, nread=nread@entry=0x7fffffffcbc4) at read.c:538 #5 0x00007ffff4aa5dc3 in el_gets (el=0x555555b1a210, nread=nread@entry=0x7fffffffcbc4) at eln.c:75 #6 0x00007ffff4ab84f6 in readline (p=0x7ffff507b018 "php > ") at readline.c:453 #7 0x00007ffff523481a in ?? () from /usr/lib/php/20180731/readline.so #8 0x0000555555885916 in do_cli (argc=2, argv=0x555555a12c90) at ./sapi/cli/php_cli.c:995 #9 0x0000555555661b1b in main (argc=2, argv=0x555555a12c90) at ./sapi/cli/php_cli.c:1393 There is a similar (more related to autocompletion) libedit crash mentioned in openbsd-tech: https://marc.info/?l=openbsd-tech&m=156463894328592&w=2 which points to NetBSD https://github.com/NetBSD/src/commit/b91b3c48e0edb116bd797586430cb426b575d717 initializating a number of buffers using calloc. That one references https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=54399 However, PR54399 is a crash on history functions, unrelated to the above. The other calloc() could be fixing this problem, though. Updating libedit2 from 3.1-20181209-1 (buster) to 3.1-20191231-1 (bullseye) I can no longer reproduce the crash.