Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash when searching for column with number between 2^64 - 1 and 2 ^ 64 - 2 ^ 31 #9930

Closed
rgreenblatt opened this issue Apr 21, 2019 · 5 comments · Fixed by #10596
Closed

Crash when searching for column with number between 2^64 - 1 and 2 ^ 64 - 2 ^ 31 #9930

rgreenblatt opened this issue Apr 21, 2019 · 5 comments · Fixed by #10596
Labels
bug-crash issue reporting a crash or segfault has:plan has:repro issue contains minimal reproducing steps
Milestone
0.4

Comments

@rgreenblatt
Copy link

NVIM v0.4.0-dev
VIM - Vi IMproved 8.1 compiled from source today does not crash.

  • Operating system/version: Ubuntu 18.10
  • Terminal name/version: st
  • $TERM: xterm-256color and st-256color both reproduce the problem

Steps to reproduce using nvim -u NORC

nvim -u NORC
/\v%18446744071562067968c

Will yield:

nvim: /build/neovim-5zUQcT/neovim-0.4.0+ubuntu1+git201904202022-43356a4-eada8be/src/nvim/regexp_nfa.c:5926: nfa_regmatch: Assertion `t->state->val >= 0 && reginput >= regline && (uintmax_t)(reginput - regline) <= UINTMAX_MAX - 1' failed.
                                               
[1]    30948 abort (core dumped)  /usr/bin/nvim -u NORC

Any number between 18446744071562067968 (2^64 - 2^31) and 18446744073709551615 (2^64 - 1) causes a crash for me. The issue doesn't reproduce for 2^64 - 2^32 but I am not sure where the issue stops occuring between 2^64 - 2^31 and 2^64 - 2^32.

I ran into this while generating patterns using c++ and overflowing a size_t value. I can't imagine this is a problem for anyone, but it does seem at least to me like something that should get fixed if possible.
@rgreenblatt rgreenblatt changed the title Crash when searching for column with number between 2^64 - 1 and 2 ^ 64 - 2 ** 31 Crash when searching for column with number between 2^64 - 1 and 2 ^ 64 - 2 ^ 31 Apr 21, 2019
@mhinz mhinz added has:repro issue contains minimal reproducing steps bug-crash issue reporting a crash or segfault labels Apr 22, 2019
@mhinz
Copy link
Member

mhinz commented Apr 22, 2019
edited
Loading

This assert is hit:

neovim/src/nvim/regexp_nfa.c

Lines 5924 to 5926 in 43356a4

assert(t->state->val >= 0
&& reginput >= regline
&& (uintmax_t)(reginput - regline) <= UINTMAX_MAX - 1);

Introduced by: 2ceb1c7

@justinmk
Copy link
Member

justinmk commented Apr 24, 2019
edited
Loading

Should show an EMSG error instead of asserting.

I can't imagine that Vim does anything useful with such a value...

@justinmk justinmk added this to the todo milestone Apr 24, 2019
@gafeol
Copy link
Contributor

gafeol commented May 14, 2019

Hi, I was trying to solve this issue, but I’ve been unable to create an error message on the regexp_nfa.c file.
My biggest problem is figuring out where to create the error message with EMSG, I've tried substituting the assert on line 5924 for an if:
Screenshot from 2019-05-13 21-46-02
But then when reproducing the issue I get these errors:
Screenshot from 2019-05-13 21-41-33
Screenshot from 2019-05-13 21-41-58

Should I stop the execution of the function nfa_regmatch with some return value other than just false?

@justinmk
Copy link
Member

But then when reproducing the issue I get these errors:

That is what I would expect. What else is the editor supposed to do with such a column?

@gafeol gafeol mentioned this issue May 22, 2019
Closed
@jamessan
Copy link
Member

jamessan commented Jun 9, 2019

v8.1.0908 is relevant.

@justinmk justinmk mentioned this issue Jul 24, 2019
Merged
@justinmk justinmk modified the milestones: todo, 0.4 Jul 25, 2019
justinmk added a commit that referenced this issue Jul 25, 2019
@justinmk
Merge #10596 'vim-patch:8.1.{899,903,905,907,908,910,913,1746}'
3662201 
close #9930
close #10051
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug-crash issue reporting a crash or segfault has:plan has:repro issue contains minimal reproducing steps
Projects
None yet
Milestone
0.4
5 participants
@jamessan @mhinz @justinmk @rgreenblatt @gafeol