old vi bug still alive ...

Denys Vlasenko vda.linux at googlemail.com
Wed Nov 19 13:20:56 UTC 2008


On Tue, Nov 18, 2008 at 7:48 PM, walter harms <wharms at bfs.de> wrote:
> hi list,
> i was trying the lasted vi and found the old bug i found in this summer still alive.
>
> how to reproduce
> *compile vi with ENABLE_FEATURE_VI_SETOPTS
> *start vi
> *choose insert mode
> *type <tab><anychar><CR>
> use clip&paste to repeat that often
> vi will intend the line to the right.
> after some time vi crashes in this line
>
>        for (; isblank(*q); q++) {
>
> q is the start of the previous line
>        q = prev_line(p);
>
> but the results in the debugger are confusing
> (gdb)  p p
> $37 = 0xb7cc8805 "\t\n"
> (gdb)  p prev_line(p)
> $38 = 0xb7cc7dcf ' ' <repeats 200 times>...
> (gdb) p q
> $39 = 0x81afa14 <Address 0x81afa14 out of bounds>
>
> i added a printf to see what happens to the pointer.
> here the results of the last round:

Well, the code is:

for (; isblank(*q); q++) {
        p = stupid_insert(p, *q);
}

and stupid_insert() might reallocate text[] (!),
after which q points nowhere.

Lots and lots of places in vi.c do not expect that to happen.
(Because vi.c was so stupid it did not even allow for
significantly growing files until recently!)

Does attached patch help?
--
vda
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 5.patch
Type: text/x-patch
Size: 10772 bytes
Desc: not available
Url : http://lists.busybox.net/pipermail/busybox/attachments/20081119/bc183915/attachment-0002.bin 


More information about the busybox mailing list