Re: New regexp crash with ft=html

Bram Moolenaar Mon, 20 May 2013 04:37:46 -0700

Charles Peacech wrote:

> On Mon, May 20, 2013 at 5:28 PM, Charles <[email protected]> wrote:
> > Hi,
> >
> > In my gvim, the new regexp engine crash gvim for this regexp
> >
> > 0x02a60c72 "htmlSpecialChar "&#\=[0-9A-Za-z]\{1,8};""
> >
> > The crash happens here
> >
> > /*
> >  * Allocate and initialize nfa_state_T.
> >  */
> >     static nfa_state_T *
> > new_state(c, out, out1)
> >     int         c;
> >     nfa_state_T *out;
> >     nfa_state_T *out1;
> > {
> >     nfa_state_T *s;
> >
> >     if (istate >= nstate)
> >         return NULL;
> >
> >     s = &state_ptr[istate++];
> >
> >     s->c    = c;
> >     s->out  = out;
> >     s->out1 = out1; // <----- Access violation here, probably because
> > s points to foreign memory
> >
> >     s->id   = istate;
> >     s->lastlist = 0;
> >     s->lastthread = NULL;
> >     s->visits = 0;
> >     s->negated = FALSE;
> >
> >     return s;
> > }
> >
> 
> It seems to be that the cause is insufficient initial size here
> 
> line 232:
> /* A reasonable estimation for size */
>     nstate_max = (STRLEN(expr) + 1) * NFA_POSTFIX_MULTIPLIER;
> 
> When it crashed, it's trying to access member no. 714 while the
> currently allocated array is only 631.


Yes, increasing the size works around the problem.

However, there is a check for the pointer not to go beyond the end:

#define EMIT(c) do {                            \
                    if (post_ptr >= post_end)   \
                        return FAIL;            \
                    *post_ptr++ = c;            \
                } while (0)

For some reason that is not working. Ah, it's adding the byte size to
the int pointer, that's wrong.  Patch coming up...

-- 
Beer & pretzels can't be served at the same time in any bar or restaurant.
                [real standing law in North Dakota, United States of America]

 /// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\  an exciting new programming language -- http://www.Zimbu.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Re: New regexp crash with ft=html

Raspunde prin e-mail lui