[vim/vim] A possible divide by zero bug in misc2.c (#8767)
10 views
Skip to first unread message
yiyuaner
Aug 17, 2021, 2:31:06 AM8/17/21
to vim/vim, Subscribed
In the file misc2.c, the function coladvance2 has the following code:
int width = curwin->w_width - win_col_off(curwin);
if (finetune
&& curwin->w_p_wrap
&& curwin->w_width != 0
&& wcol >= (colnr_T)width)
{
if (wcol / width > (colnr_T)csize / width)
}
The variable width is used as a divisor but its value can be zero because:
curwin->w_widthmay be zero, since the code explicitly checks thatcurwin->w_width != 0- The function
win_col_off(curwin)may return zero, refer to the code here.
Therefore, I think here we have a potential divide by zero bug.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
Triage notifications on the go with GitHub Mobile for iOS or Android.
Christ van Willegen
Aug 17, 2021, 10:46:47 AM8/17/21
to vim...@googlegroups.com, reply+ACY5DGD2FSEPZ4QUUV...@reply.github.com
In the file
misc2.c, the functioncoladvance2has the following code:int width = curwin->w_width - win_col_off(curwin); if (finetune && curwin->w_p_wrap && curwin->w_width != 0 && wcol >= (colnr_T)width) { if (wcol / width > (colnr_T)csize / width) }The variable
widthis used as a divisor but its value can be zero because:
curwin->w_widthmay be zero, since the code explicitly checks thatcurwin->w_width != 0
Since this is checked in the if statement, it can't be 0.
If it returns 0, width would be non zero, or curwin->w_width would be 0, and this is checked.
So, the code path you describe can't lead to a divide by 0.
If curwin->w_width is a non zero value, _and_ the call to win_col_off(curwin) returns the same value, then width can become 0. I do not have the code here to check if this is possible...
Christ van Willegen
vim-dev ML
Aug 17, 2021, 10:47:03 AM8/17/21
to vim/vim, vim-dev ML, Your activity
Hi,
Op di 17 aug. 2021 08:31 schreef yiyuaner ***@***.***>:
> In the file misc2.c, the function coladvance2 has the following code
> <https://github.com/vim/vim/blob/ccfb7c6758510e0fe5f390149ea14aee6ff4f55e/src/misc2.c#L159-%23L171>
> :
>
> int width = curwin->w_width - win_col_off(curwin);
> if (finetune
> && curwin->w_p_wrap
> && curwin->w_width != 0
> && wcol >= (colnr_T)width)
> {
> if (wcol / width > (colnr_T)csize / width)
> }
>
> The variable width is used as a divisor but its value can be zero because:
>
> 1. curwin->w_width may be zero, since the code explicitly checks that curwin->w_width
> != 0
>
>
Since this is checked in the if statement, it can't be 0.
> 1. The function win_col_off(curwin) may return zero, refer to the code
> here
> <https://github.com/vim/vim/blob/ccfb7c6758510e0fe5f390149ea14aee6ff4f55e/src/move.c#L893>
> .
>
>
If it returns 0, width would be non zero, or curwin->w_width would be 0,
and this is checked.
So, the code path you describe can't lead to a divide by 0.
If curwin->w_width is a non zero value, _and_ the call to
win_col_off(curwin) returns the same value, then width can become 0. I do
not have the code here to check if this is possible...
Christ van Willegen
Op di 17 aug. 2021 08:31 schreef yiyuaner ***@***.***>:
> In the file misc2.c, the function coladvance2 has the following code
> :
>
> int width = curwin->w_width - win_col_off(curwin);
> if (finetune
> && curwin->w_p_wrap
> && curwin->w_width != 0
> && wcol >= (colnr_T)width)
> {
> if (wcol / width > (colnr_T)csize / width)
> }
>
> The variable width is used as a divisor but its value can be zero because:
>
> != 0
>
>
Since this is checked in the if statement, it can't be 0.
> here
> <https://github.com/vim/vim/blob/ccfb7c6758510e0fe5f390149ea14aee6ff4f55e/src/move.c#L893>
> .
>
>
If it returns 0, width would be non zero, or curwin->w_width would be 0,
and this is checked.
So, the code path you describe can't lead to a divide by 0.
If curwin->w_width is a non zero value, _and_ the call to
win_col_off(curwin) returns the same value, then width can become 0. I do
not have the code here to check if this is possible...
Christ van Willegen
Bram Moolenaar
Aug 17, 2021, 4:16:15 PM8/17/21
to vim/vim, vim-dev ML, Comment
> In the file `misc2.c`, the function `coladvance2` has the following [code](https://github.com/vim/vim/blob/ccfb7c6758510e0fe5f390149ea14aee6ff4f55e/src/misc2.c#L159-#L171):
> ```
> int width = curwin->w_width - win_col_off(curwin);
> if (finetune
> && curwin->w_p_wrap
> && curwin->w_width != 0
> && wcol >= (colnr_T)width)
> {
> if (wcol / width > (colnr_T)csize / width)
> }
> ```
> The variable `width` is used as a divisor but its value can be zero because:
> 2. The function `win_col_off(curwin)` may return zero, refer to the code [here](https://github.com/vim/vim/blob/ccfb7c6758510e0fe5f390149ea14aee6ff4f55e/src/move.c#L893).
>
> Therefore, I think here we have a potential divide by zero bug.
then making the window so narrow no text shows, then using "j" or "k".
--
Men may not be seen publicly in any kind of strapless gown.
[real standing law in Florida, United States of America]
/// Bram Moolenaar -- ***@***.*** -- http://www.Moolenaar.net \\\
/// \\\
\\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
—
You are receiving this because you commented.
Reply all
Reply to author
Forward
0 new messages