Vim crashes when adding/removing virtual text

Yegappan Lakshmanan Sun, 16 Apr 2023 12:57:09 -0700

Hi,

If you source the attached script and press <F3> multiple times
(atleast 40 times)
followed by <F4> multiple times, you will see that Vim crashes.  Also
this script
illustrates the problem with virtual text not rendering properly when
a line starts
with a tab character.


The ASAN traceback is below:

=================================================================
==67409==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6080000153f3 at pc 0x7f25e1e39c23 bp 0x7ffcd0a71fd0 sp
0x7ffcd0a71778
WRITE of size 88 at 0x6080000153f3 thread T0
    #0 0x7f25e1e39c22 in __interceptor_memset
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799
    #1 0x55c51d913be1 in text_prop_position
/home/yega/Documents/vim/vimlsp/vim/src/drawline.c:723
    #2 0x55c51d926ed2 in win_line
/home/yega/Documents/vim/vimlsp/vim/src/drawline.c:2124
    #3 0x55c51d961278 in win_update
/home/yega/Documents/vim/vimlsp/vim/src/drawscreen.c:2484
    #4 0x55c51d941534 in update_screen
/home/yega/Documents/vim/vimlsp/vim/src/drawscreen.c:324
    #5 0x55c51e5e9298 in main_loop
/home/yega/Documents/vim/vimlsp/vim/src/main.c:1427
    #6 0x55c51e5e79e0 in vim_main2
/home/yega/Documents/vim/vimlsp/vim/src/main.c:887
    #7 0x55c51e5e6e23 in main /home/yega/Documents/vim/vimlsp/vim/src/main.c:433
    #8 0x7f25e1029d8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
    #9 0x7f25e1029e3f in __libc_start_main_impl ../csu/libc-start.c:392
    #10 0x55c51d7bb784 in _start
(/home/yega/Documents/vim/vimlsp/vim/src/vim+0x129f784)

0x6080000153f3 is located 0 bytes to the right of 83-byte region
[0x6080000153a0,0x6080000153f3)
allocated by thread T0 here:
    #0 0x7f25e1eb4867 in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55c51d7bbc3c in lalloc
/home/yega/Documents/vim/vimlsp/vim/src/alloc.c:246
    #2 0x55c51d7bb9fe in alloc
/home/yega/Documents/vim/vimlsp/vim/src/alloc.c:151
    #3 0x55c51d913aa6 in text_prop_position
/home/yega/Documents/vim/vimlsp/vim/src/drawline.c:712
    #4 0x55c51d926ed2 in win_line
/home/yega/Documents/vim/vimlsp/vim/src/drawline.c:2124
    #5 0x55c51d961278 in win_update
/home/yega/Documents/vim/vimlsp/vim/src/drawscreen.c:2484
    #6 0x55c51d941534 in update_screen
/home/yega/Documents/vim/vimlsp/vim/src/drawscreen.c:324
    #7 0x55c51e5e9298 in main_loop
/home/yega/Documents/vim/vimlsp/vim/src/main.c:1427
    #8 0x55c51e5e79e0 in vim_main2
/home/yega/Documents/vim/vimlsp/vim/src/main.c:887
    #9 0x55c51e5e6e23 in main /home/yega/Documents/vim/vimlsp/vim/src/main.c:433
    #10 0x7f25e1029d8f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow
../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799
in __interceptor_memset
Shadow bytes around the buggy address:
  0x0c107fffaa20: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fffaa30: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fffaa40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fffaa50: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c107fffaa60: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
=>0x0c107fffaa70: fa fa fa fa 00 00 00 00 00 00 00 00 00 00[03]fa
  0x0c107fffaa80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fffaa90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fffaaa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fffaab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c107fffaac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==67409==ABORTING

- Yegappan

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/vim_dev/CAAW7x7%3D%2BtzjqmFGxkMfRHFt2_OQ2_aZ%2B9UvaoBi8KQgbGsUEWg%40mail.gmail.com.

vtext.vim
Description: Binary data

Vim crashes when adding/removing virtual text

Raspunde prin e-mail lui