Segfault while reading .editorconfig generated by JetBrains IDE

[vovochka404]

I've got segfault of Kate each time i'm trying to open any file in directory with .editorconfig, generated by JetBrains IDE

vovochka in ~/tmp $ ls -a  
.  ..  .editorconfig  test.php
vovochka in ~/tmp $ editorconfig /home/vovochka/tmp/test.php 
*** buffer overflow detected ***: editorconfig terminated
[1]    77219 abort (core dumped)  editorconfig /home/vovochka/tmp/test.php

.editorconfig:
editorconfig.txt

Got this trace:

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007f3113b36b01 in __GI_abort () at abort.c:79
#2  0x00007f3113b78957 in __libc_message (action=<optimized out>, fmt=fmt@entry=0x7f3113c800f3 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007f3113c0954e in __GI___fortify_fail_abort (need_backtrace=need_backtrace@entry=true, msg=msg@entry=0x7f3113c8007a "buffer overflow detected") at fortify_fail.c:33
#4  0x00007f3113c09581 in __GI___fortify_fail (msg=msg@entry=0x7f3113c8007a "buffer overflow detected") at fortify_fail.c:44
#5  0x00007f3113c07430 in __GI___chk_fail () at chk_fail.c:28
#6  0x00007f3113c066c2 in __strcpy_chk (dest=dest@entry=0x7ffda5967b90 "ij_php_api_weight", src=0x7ffda5968cf0 "ij_php_array_initializer_new_line_after_left_brace", destlen=destlen@entry=50) at strcpy_chk.c:30
#7  0x00007f3113eb9352 in strcpy (__src=<optimized out>, __dest=0x7ffda5967b90 "ij_php_api_weight") at /usr/include/bits/string_fortified.h:90
#8  array_editorconfig_name_value_add (aenv=aenv@entry=0x7ffda596a140, name=name@entry=0x7ffda5968cf0 "ij_php_array_initializer_new_line_after_left_brace", value=value@entry=0x7ffda5968d25 "true")
    at /usr/src/debug/editorconfig-core-c-0.12.3-lp152.1.5.x86_64/src/lib/editorconfig.c:156
#9  0x00007f3113eb96d3 in ini_handler (hfp=hfp@entry=0x7ffda596a130, section=section@entry=0x7ffda5967ce0 "{*.ctp,*.phtml,*.module,*.php,*.php5,*.php4,*.hphp,*.inc}", 
    name=name@entry=0x7ffda5968cf0 "ij_php_array_initializer_new_line_after_left_brace", value=value@entry=0x7ffda5968d25 "true") at /usr/src/debug/editorconfig-core-c-0.12.3-lp152.1.5.x86_64/src/lib/editorconfig.c:269
#10 0x00007f3113eba1a6 in ini_parse_file (file=file@entry=0x5594ed38c410, handler=handler@entry=0x7f3113eb9510 <ini_handler>, user=user@entry=0x7ffda596a130) at /usr/src/debug/editorconfig-core-c-0.12.3-lp152.1.5.x86_64/src/lib/ini.c:180
#11 0x00007f3113eba34c in ini_parse (filename=filename@entry=0x5594ed38c350 "/home/vovochka/tmp/.editorconfig", handler=handler@entry=0x7f3113eb9510 <ini_handler>, user=user@entry=0x7ffda596a130)
    at /usr/src/debug/editorconfig-core-c-0.12.3-lp152.1.5.x86_64/src/lib/ini.c:205
#12 0x00007f3113eb9ad5 in editorconfig_parse (full_filename=<optimized out>, h=0x5594ed38c2b0) at /usr/src/debug/editorconfig-core-c-0.12.3-lp152.1.5.x86_64/src/lib/editorconfig.c:470
#13 0x00005594eb29e4e8 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/editorconfig-core-c-0.12.3-lp152.1.5.x86_64/src/bin/main.c:219

[greut]

It looks like the packager did enable extra hardening options, I'd take this issue to https://bugs.opensuse.org

[ffes]

My initial guess was that the quite long lines 31, 135, 153 and 171 were the problem. They all are over 2200 chars long. But apparently they were parsed just fine.

The ij_php_array_initializer_new_line_after_left_brace at line 303 mentioned in the trace is 50 chars long, but before that keys longer do exist, for instance ij_coffeescript_method_parameters_new_line_after_left_paren at line 231 is 59 chars long.

Currently in the specs is a hard limit of 50 for keys and 255 for values. There has been a discussion in editorconfig/editorconfig#429 to increase the fixed lengths in the specs, but that hasn't yet let to any merged PR at this moment.
editorconfig/specification#21
editorconfig/editorconfig-core-test#41

[greut]

A easy way to reproduce it.

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index d030664..05970b7 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -85,6 +85,9 @@ if(MSVC)
     add_definitions("-J")
 else()
     add_definitions("-funsigned-char")
+    add_definitions("-D_FORTIFY_SOURCE=1")
+    add_definitions("-O2")
+    add_definitions("-Wall")
 endif()
 
 add_subdirectory(lib)

[Vogtinator]

While #74 avoids the overflow and resulting crash, it means that any of the affected keys are silently ignored or overwrite the values of other keys, which is a misbehaviour. While this only affects files which technically violate the specification, there's no way to tell those apart from valid ones. Please reconsider whether this issue is really fixed.

[xuhdev]

@Vogtinator This is intended to be truncated. See the specification:

The maximum length of a pair key is 50 characters and the maximum length of a pair value is 255 characters. Any key or value beyond these limits shall be ignored.

[ffes]

According to the specs it is fixed. See my comment above for the related issue and PRs about fixing the issue in the specs.

Once the specs are updated the cores should be updated accordingly.

[Vogtinator]

According to the specs it is fixed. See my comment above for the related issue and PRs about fixing the issue in the specs.

No, it's clearly violating the spec. The spec says:

Any key or value beyond these limits shall be ignored.

Truncation is the opposite of ignoring. In this case it assigns the values into a different key.

[xuhdev]

Sorry for the confusion. I think you are right. The test is consistent with your interpretation of the specification (see the relevant lines in limits.in: the test case is testing whether the core library is properly ignoring the 51-char long key).

The C core test is passing this test, which means that it has already been acting properly. The resolving PR merely fixed the overflow issue (the insufficiently allocated array size).

[Vogtinator]

I ran editorconfig through a debugger and can confirm that it's actually ignoring the keys properly indeed.
The reason for my confusion there was that the check for the length happens in ini_parse_file, so before array_editorconfig_name_value_add is actually called. I thought that was not the case, because otherwise the overflow couldn't happen, but there's simply a off-by-one error between the check in ini_parse_file and array_editorconfig_name_value_add which resulted in writing the null-terminator one past the array.

Sorry for the noise and thanks for the quick fix!