On Thursday, August 13, 2015 at 1:52:26 AM UTC-4, Raymond Ko wrote:
> On Wednesday, August 12, 2015 at 4:04:57 PM UTC-4, Dominique Pelle wrote:
> > Hi
> >
> > Here is another bug discovered by afl-fuzz which is
> > ruthless at finding bugs. The following command
> > crashes vim-7.4.823 (and older):
> >
> > $ vim -u NONE -c ow -c 'sy keyword x c'
> > Vim: Caught deadly signal SEGV
> > Vim: Finished.
> > Segmentation fault (core dumped)
> >
> > $ cgdb --args ./vim -u NONE -c ow -c 'sy keyword x c'
> >
> > 153│ idx = (unsigned)(hash & ht->ht_mask);
> > 154│ hi = &ht->ht_array[idx];
> > 155│
> > 156├> if (hi->hi_key == NULL)
> > 157│ return hi;
> >
> > (gdb) p hi
> > $1 = (hashitem_T *) 0x0
> >
> > (gdb) p idx
> > $2 = 0
> >
> > (gdb) p hash
> > $3 = 99
> >
> > (gdb) p ht->ht_mask
> > $4 = 0
> >
> > (gdb) bt
> > #0 0x00000000004e2b5d in hash_lookup (ht=0x965a00, key=0x965f48 "c",
> > hash=99) at hashtab.c:156
> > #1 0x000000000061ca44 in add_keyword (name=0x965f00 "c", id=46,
> > flags=0, cont_in_list=0x0, next_list=0x0, conceal_char=0) at
> > syntax.c:4458
> > #2 0x00000000006174f5 in syn_cmd_keyword (eap=0x7fffffffd428,
> > syncing=0) at syntax.c:4868
> > #3 0x000000000060f0b5 in ex_syntax (eap=0x7fffffffd428) at syntax.c:6296
> > #4 0x000000000049053b in do_one_cmd (cmdlinep=0x7fffffffdb88,
> > sourcing=1, cstack=0x7fffffffd6d0, fgetline=0x0, cookie=0x0) at
> > ex_docmd.c:2941
> > #5 0x000000000048bdfe in do_cmdline (cmdline=0x7fffffffe2a0 "sy
> > keyword x c", fgetline=0x0, cookie=0x0, flags=11) at ex_docmd.c:1133
> > #6 0x000000000048cca6 in do_cmdline_cmd (cmd=0x7fffffffe2a0 "sy
> > keyword x c") at ex_docmd.c:738
> > #7 0x00000000006777e8 in exe_commands (parmp=0x7fffffffdc78) at main.c:2926
> > #8 0x00000000006742fd in main (argc=7, argv=0x7fffffffdeb8) at main.c:961
> >
> > Valgrind or asan don't give more info.
> > Sorry no patch. I'm not sure how to fix it.
> >
> > Regards
> > Dominique
>
> This struck me as odd as I was tweaking VIM's hash table to try and lower
> collision rate in my own minifork, and I thought: there can't possibly be a
> bug in the hash table!
>
> Anyways after some investigation, the cause of the crash is that :ownsyntax
> creates it's own synblock_T but does not properly initialize it, i.e. memset
> to 0 is wrong for some structures. For most things, it is okay, except for
> the spellcheck structures, but that is marked as TODO and set to values that
> disable it. Looking at GDB print of structures, the only other structures
> which seem essential to be initialized is is the two hash tables b_keywtab &&
> b_keywtab_ic. A simple hash_init on these two tables fixes the crash reported
> as shown in the patch below.
>
> A proper solution would probably be to completely deep copy the entire
> structure from the buffer, and add a comment in the structs.h to say to
> update that init function if you change it, but maybe there is no one that
> actually uses :ownsyntax and spell check together so just add to TODO list if
> not already?
>
> diff -r 0bed79a9dde9 src/syntax.c
> --- a/src/syntax.c Wed Aug 12 11:30:06 2015 -0400
> +++ b/src/syntax.c Thu Aug 13 01:40:53 2015 -0400
> @@ -6309,6 +6309,8 @@
> {
> curwin->w_s = (synblock_T *)alloc(sizeof(synblock_T));
> memset(curwin->w_s, 0, sizeof(synblock_T));
> + hash_init(&curwin->w_s->b_keywtab);
> + hash_init(&curwin->w_s->b_keywtab_ic);
> #ifdef FEAT_SPELL
> /* TODO: keep the spell checking as it was. */
> curwin->w_p_spell = FALSE; /* No spell checking */
Oops, forgot the #ifdef for tiny versions.
diff -r 0bed79a9dde9 src/syntax.c
--- a/src/syntax.c Wed Aug 12 11:30:06 2015 -0400
+++ b/src/syntax.c Thu Aug 13 01:54:02 2015 -0400
@@ -6309,6 +6309,10 @@
{
curwin->w_s = (synblock_T *)alloc(sizeof(synblock_T));
memset(curwin->w_s, 0, sizeof(synblock_T));
+#ifdef FEAT_SYN_HL
+ hash_init(&curwin->w_s->b_keywtab);
+ hash_init(&curwin->w_s->b_keywtab_ic);
+# endif
#ifdef FEAT_SPELL
/* TODO: keep the spell checking as it was. */
curwin->w_p_spell = FALSE; /* No spell checking */
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
