append()/appendbufline()/setline()/setbufline() crash with a NULL list

13 views
Skip to first unread message

Yegappan Lakshmanan

unread,
Apr 21, 2020, 2:39:34 AM4/21/20
to vim_dev
Hi,

The following calls crash Vim (with ASAN enabled):

  call append(1, test_null_list())
  call appendbufline(1, 1, test_null_list())
  call setline(1, test_null_list())
  call setbufline(1, 1, test_null_list())

The set_buffer_lines() function doesn't validate the 'lines' parameter
before de-referencing it.

- Yegappan

Bram Moolenaar

unread,
Apr 21, 2020, 4:25:44 AM4/21/20
to vim...@googlegroups.com, Yegappan Lakshmanan
Good find. It should behave like an empty list. Can you fix that?

--
Bad fashion can discourage normal people from interacting with the engineer
and talking about the cute things their children do.
(Scott Adams - The Dilbert principle)

/// Bram Moolenaar -- Br...@Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///

Yegappan Lakshmanan

unread,
Apr 21, 2020, 2:59:02 PM4/21/20
to Bram Moolenaar, vim_dev
Hi Bram,

On Tue, Apr 21, 2020 at 1:25 AM Bram Moolenaar <Br...@moolenaar.net> wrote:

Yegappan wrote:

> The following calls crash Vim (with ASAN enabled):
>
>   call append(1, test_null_list())
>   call appendbufline(1, 1, test_null_list())
>   call setline(1, test_null_list())
>   call setbufline(1, 1, test_null_list())
>
> The set_buffer_lines() function doesn't validate the 'lines' parameter
> before de-referencing it.

Good find.  It should behave like an empty list.  Can you fix that?


I have updated the PR https://github.com/vim/vim/pull/5963 with a fix for this.

- Yegappan
 

Bram Moolenaar

unread,
Apr 21, 2020, 4:20:27 PM4/21/20
to vim...@googlegroups.com, Yegappan Lakshmanan

Yegappan wrote:

> > > The following calls crash Vim (with ASAN enabled):
> > >
> > > call append(1, test_null_list())
> > > call appendbufline(1, 1, test_null_list())
> > > call setline(1, test_null_list())
> > > call setbufline(1, 1, test_null_list())
> > >
> > > The set_buffer_lines() function doesn't validate the 'lines' parameter
> > > before de-referencing it.
> >
> > Good find. It should behave like an empty list. Can you fix that?
>
> I have updated the PR https://github.com/vim/vim/pull/5963 with a fix for
> this.

Thanks!

--
Normal people believe that if it ain't broke, don't fix it. Engineers believe
that if it ain't broke, it doesn't have enough features yet.
Reply all
Reply to author
Forward
0 new messages