[vim/vim] Crash with completion from too long files (#1600)

33 views
Skip to first unread message

Nikolai Aleksandrovich Pavlov

unread,
Mar 29, 2017, 5:18:34 PM3/29/17
to vim/vim, Subscribed

Given that the second opened file exists and contains text TEST TXT (two words starting with T) the following script is enough to crash:

 vim --cmd 'set columns=5000 noswapfile' -u NONE -i NONE -N /tmp/b $PWD/../"$(perl -e "print ((('/'.('d' x 255)) x 4).'/'.('a' x 255))")" -s <(<<< $'iT\C-n')

Note that bash supports neither <<< nor \C-n in $'', need echo and actual value. Bug was found by coverity in Neovim (CID 56813), at the end of ins_compl_next function (where it copies compl_shown_match->cp_fname + i into IObuff). It is necessary that columns value is large.

Checked with vim 8.0.512.


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub

Bram Moolenaar

unread,
Mar 30, 2017, 4:08:24 PM3/30/17
to vim/vim, Subscribed

Nikolai Pavlov wrote:

> Given that the second opened file exists and contains text `TEST TXT` (two words starting with T) the following script is enough to crash:
>
> vim --cmd 'set columns=5000 noswapfile' -u NONE -i NONE -N /tmp/b $PWD/../"$(perl -e "print ((('/'.('d' x 255)) x 4).'/'.('a' x 255))")" -s <(<<< $'iT\C-n')
>
> Note that bash supports neither `<<<` nor `\C-n` in `$''`, need echo and actual value. Bug was found by coverity in Neovim (CID 56813), at the end of `ins_compl_next` function (where it copies `compl_shown_match->cp_fname + i` into `IObuff`). It is necessary that `columns` value is large.
>
> Checked with vim 8.0.512.

I tried to turn it into a Vim script, but it doesn't reproduce the
problem:

set nocompatible
set columns=5000
set noswapfile
let longname = getcwd() . "/../" . repeat('/' . repeat('d', 255), 4) . '/' . repeat('a', 255)
exe "next /tmp/b " . longname
exe "normal iT\<C-N>"

What is missing?

Hmm, seems that code also doesn't handle translations and multi-byte
characters.

--
"The amigos also appear to be guilty of not citing the work of others who had
gone before them. Even worse, they have a chapter about modeling time and
space without making a single reference to Star Trek!"
(Scott Ambler, reviewing the UML User Guide)

/// Bram Moolenaar -- Br...@Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///

Nikolai Aleksandrovich Pavlov

unread,
Mar 30, 2017, 4:16:43 PM3/30/17
to vim/vim, Subscribed

The file in question must be created and contain at least two words starting with T. And it must not be loaded AFAIR.

Bram Moolenaar

unread,
Mar 31, 2017, 4:28:23 PM3/31/17
to vim/vim, Subscribed

Nikolai Pavlov wrote:

> The file in question must be created and contain at least two words
> starting with T. And it must not be loaded AFAIR.

Thanks, now I could reproduce and turn the example into a test.

--
Marriage isn't a word. It's a sentence.


/// Bram Moolenaar -- Br...@Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///

Bram Moolenaar

unread,
Mar 31, 2017, 4:28:49 PM3/31/17
to vim/vim, Subscribed

Closed #1600 via 658a3a2.

Reply all
Reply to author
Forward
0 new messages