Denys Vlasenko wrote:
> On Monday 14 July 2008 14:36, walter harms wrote:
>> hi rob,
>> i am using vi also. lately we added some boundary checks to prevent
>> buffer overflows.
>> i did not check the latest svn but the version 2008-06 gave me some
>> ^@ in gdb and i suspect there is still some off-by-one.
>> If it still crashes i could not check (no time),
>
> It is actually the issue we debugged with you, Walter,
> and patch is available since 11-Jul-2008:
>
> http://busybox.net/downloads/fixes-1.11.0/busybox-1.11.0-vi.patch
>
(test with latest snapshot)
i am really sorry to write ...
<-----screenshot ------------------>
CC libbb/xfuncs_printf.o
CC libbb/xgetcwd.o
CC libbb/xgethostbyname
CC libbb/xreadlink.o
Program received signal SIGSEGV, Segmentation fault.
0x0804c142 in char_insert (p=0x4018b006 "\n", c=10 '\n') at vi.c:1687
1687 for (; isblank(*q); q++) {
(gdb) p q
$1 = 0x80939dc <Address 0x80939dc out of bounds>
<------EOS------------------------------------->
i have no clue why this can happen. q is start of the previous line.
how to reproduce:
1. compile busybox with vi and Enable set-able options, ai ic showmatch
2. use vi in insert mode
3. clip some lines from screen with leading spaces (seems important)
4. paste into vi until the crash occurs
here is the list of globals:
(gdb)p *ptr_to_globals
$4 = {
text = 0x4014f008 "USER PID %CPU %MEM VSZ RSS TTY STAT START
TIME COMMAND\nroot 1 0.0 0.0 688 72 ? S
Jul14 0:01 init [5] \nroot 2 0.0 0.0 0 0 ? S
"...,
end = 0x4018b007 "", dot = 0x4018af5a "\n", ' ' <repeats 171 times>, "\n",
text_size = 255999, vi_setops = 7 '\a', readonly_mode = 0 '\0',
editing = 1 '\001', cmd_mode = 1 '\001', file_modified = 245758,
last_file_modified = 215393, fn_start = 1, save_argc = 2, cmdcnt = 0,
rows = 49, columns = 80, crow = 47, ccol = 54, offset = 826,
have_status_msg = 0, last_status_cksum = 0,
current_filename = 0x8057c38 "vi",
screenbegin = 0x401797d9 ' ' <repeats 200 times>...,
screen = 0x80544d0 ' ' <repeats 200 times>..., screensize = 3928,
tabstop = 8, erase_char = 127 '\177', last_input_char = 13 '\r',
last_forward_char = 0 '\0', adding2q = 1 '\001', lmc_len = 127, ioq = 0x0,
ioq_start = 0x0, last_row = 47, my_pid = 17179,
modifying_cmds = 0x8050848 "aAcCdDiIJoOpPrRsxX<>~",
last_search_pattern = 0x0, chars_to_parse = 14,
edit_file__cur_line = 0x8093931 <Address 0x8093931 out of bounds>,
refresh__old_offset = 826, format_edit_status__tot = 534, YDreg = 26,
Ureg = 27, reg = {0x0 <repeats 27 times>,
0x8055430 ' ' <repeats 200 times>...}, mark = {0x0 <repeats 26 times>,
0x8093cfa <Address 0x8093cfa out of bounds>,
0x8093cf5 <Address 0x8093cf5 out of bounds>},
context_start = 0x80931a0 <Address 0x80931a0 out of bounds>,
context_end = 0x8093cfa <Address 0x8093cfa out of bounds>, restart = {{
__jmpbuf = {134557704, 0, 1073831104, -1074854200, -1074854356,
134519555}, __mask_was_saved = 1, __saved_mask = {__val = {
0 <repeats 32 times>}}}}, term_orig = {c_iflag = 9474, c_oflag = 5,
c_cflag = 191, c_lflag = 35387, c_line = 0 '\0',
c_cc = "\003\034\177\025\004\000\001\000\021\023\032\000\022\017\027\026",
'\0' <repeats 15 times>, c_ispeed = 15, c_ospeed = 15}, term_vi = {
c_iflag = 8194, c_oflag = 1, c_cflag = 191, c_lflag = 35377,
c_line = 0 '\0',
c_cc = "\003\034\177\025\004\000\001\000\021\023\032\000\022\017\027\026",
'\0' <repeats 15 times>, c_ispeed = 15, c_ospeed = 15},
initial_cmds = {0x0,
0x0, 0x0}, readbuffer = " CC li", 'b' <repeats 20 times>,
status_buffer = "\033[7mlast_modifying_cmd overrun\033[0m", '\0' <repeats 165
times>,
last_modifying_cmd = "iUSER PID %CPU %MEM VSZ RSS TTY STAT
START TIME COMMAND\rroot 1 0.0 0.0 688 72 ?
S J",
get_input_line(bool, float __restrict) = '\0' <repeats 127 times>,
scr_out_buf = ' ' <repeats 82 times>, ".o a", '\0' <repeats 4071 times>}
but the ^@ are gone :)
re,
wh
_______________________________________________
busybox mailing list
[email protected]
http://busybox.net/cgi-bin/mailman/listinfo/busybox
