[vim/vim] Segfault when calling gettabwinvar() with nonexistent tabnr and winnr > 1000 (#5475)
10 views
Skip to first unread message
Yilin Yang
Jan 13, 2020, 11:16:23 PM1/13/20
to vim/vim, Subscribed
Describe the bug
gettabwinvar() crashes when invoked with an "out-of-range" {tabnr} and a |winid| greater than 1000 as the {winnr} parameter.
To Reproduce
Detailed steps to reproduce the behavior:
- Run
vim --clean(orgvim --clean, etc.) :call gettabwinvar(2, 1001, '')
Results in:
Vim: Caught deadly signal SEGV
Vim: Finished
Segmentation fault (core dumped)
This occurs with jonathonf's Ubuntu build and when building from c10b521.
Screencast
Environment (please complete the following information):
Vim version (jonathonf)VIM - Vi IMproved 8.2 (2019 Dec 12, compiled Dec 20 2019 13:24:40)
Included patches: 1-24
Modified by jonathon....@york.ac.uk
Compiled by jonathon....@york.ac.uk
Huge version with GTK2 GUI. Features included (+) or not (-):
+acl -farsi -mouse_sysmouse -tag_old_static
+arabic +file_in_path +mouse_urxvt -tag_any_white
+autocmd +find_in_path +mouse_xterm +tcl
+autochdir +float +multi_byte +termguicolors
-autoservername +folding +multi_lang +terminal
+balloon_eval -footer -mzscheme +terminfo
+balloon_eval_term +fork() +netbeans_intg +termresponse
+browse +gettext +num64 +textobjects
++builtin_terms -hangul_input +packages +textprop
+byte_offset +iconv +path_extra +timers
+channel +insert_expand +perl +title
+cindent +job +persistent_undo +toolbar
+clientserver +jumplist +popupwin +user_commands
+clipboard +keymap +postscript +vartabs
+cmdline_compl +lambda +printer +vertsplit
+cmdline_hist +langmap +profile +virtualedit
+cmdline_info +libcall -python +visual
+comments +linebreak +python3 +visualextra
+conceal +lispindent +quickfix +viminfo
+cryptv +listcmds +reltime +vreplace
+cscope +localmap +rightleft +wildignore
+cursorbind +lua +ruby +wildmenu
+cursorshape +menu +scrollbind +windows
+dialog_con_gui +mksession +signs +writebackup
+diff +modify_fname +smartindent +X11
+digraphs +mouse +sound -xfontset
+dnd +mouseshape +spell +xim
-ebcdic +mouse_dec +startuptime +xpm
+emacs_tags +mouse_gpm +statusline +xsmp_interact
+eval -mouse_jsbterm -sun_workshop +xterm_clipboard
+ex_extra +mouse_netterm +syntax -xterm_save
+extra_search +mouse_sgr +tag_binary
system vimrc file: "$VIM/vimrc"
user vimrc file: "$HOME/.vimrc"
2nd user vimrc file: "~/.vim/vimrc"
user exrc file: "$HOME/.exrc"
system gvimrc file: "$VIM/gvimrc"
user gvimrc file: "$HOME/.gvimrc"
2nd user gvimrc file: "~/.vim/gvimrc"
defaults file: "$VIMRUNTIME/defaults.vim"
system menu file: "$VIMRUNTIME/menu.vim"
fall-back for $VIM: "/usr/share/vim"
Compilation: gcc -c -I. -Iproto -DHAVE_CONFIG_H -DFEAT_GUI_GTK -pthread -I/usr/include/gtk-2.0 -I/usr/lib/x86_64-linux-gnu/gtk-2.0/include -I/usr/include/gio-unix-2.0/ -I/usr/include/cairo -I/usr/include/pango-1.0 -I/usr/include/atk-1.0 -I/usr/include/cairo -I/usr/include/pixman-1 -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/libpng16 -I/usr/include/pango-1.0 -I/usr/include/harfbuzz -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -I/usr/include/freetype2 -I/usr/include/libpng16 -I/usr/include/freetype2 -I/usr/include/libpng16 -Wdate-time -g -O2 -fdebug-prefix-map=/build/vim-eGzjIk/vim-8.2.0024=. -fstack-protector-strong -Wformat -Werror=format-security -D_REENTRANT -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1
Linking: gcc -L. -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fstack-protector -rdynamic -Wl,-export-dynamic -Wl,-E -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -o vim -lgtk-x11-2.0 -lgdk-x11-2.0 -lpangocairo-1.0 -latk-1.0 -lcairo -lgdk_pixbuf-2.0 -lgio-2.0 -lpangoft2-1.0 -lpango-1.0 -lgobject-2.0 -lglib-2.0 -lfontconfig -lfreetype -lSM -lICE -lXpm -lXt -lX11 -lXdmcp -lSM -lICE -lm -ltinfo -lnsl -lselinux -lcanberra -lacl -lattr -lgpm -ldl -L/usr/lib -llua5.2 -Wl,-E -fstack-protector-strong -L/usr/local/lib -L/usr/lib/x86_64-linux-gnu/perl/5.26/CORE -lperl -ldl -lm -lpthread -lcrypt -L/usr/lib/python3.6/config-3.6m-x86_64-linux-gnu -lpython3.6m -lpthread -ldl -lutil -lm -L/usr/lib/x86_64-linux-gnu -ltcl8.6 -ldl -lz -lpthread -lm -lruby-2.5 -lpthread -lgmp -ldl -lcrypt -lm
VIM - Vi IMproved 8.2 (2019 Dec 12, compiled Jan 13 2020 22:49:31)
Included patches: 1-116
Compiled by yiliny@yilin-ubuntu-yeeaboo-two
Huge version with GTK2 GUI. Features included (+) or not (-):
+acl -farsi -mouse_sysmouse -tag_old_static
+arabic +file_in_path +mouse_urxvt -tag_any_white
+autocmd +find_in_path +mouse_xterm -tcl
+autochdir +float +multi_byte +termguicolors
-autoservername +folding +multi_lang +terminal
+balloon_eval -footer -mzscheme +terminfo
+balloon_eval_term +fork() +netbeans_intg +termresponse
+browse +gettext +num64 +textobjects
++builtin_terms -hangul_input +packages +textprop
+byte_offset +iconv +path_extra +timers
+channel +insert_expand -perl +title
+cindent +job +persistent_undo +toolbar
+clientserver +jumplist +popupwin +user_commands
+clipboard +keymap +postscript +vartabs
+cmdline_compl +lambda +printer +vertsplit
+cmdline_hist +langmap +profile +virtualedit
+cmdline_info +libcall -python +visual
+comments +linebreak -python3 +visualextra
+conceal +lispindent +quickfix +viminfo
+cryptv +listcmds +reltime +vreplace
+cscope +localmap +rightleft +wildignore
+cursorbind -lua -ruby +wildmenu
+cursorshape +menu +scrollbind +windows
+dialog_con_gui +mksession +signs +writebackup
+diff +modify_fname +smartindent +X11
+digraphs +mouse -sound -xfontset
+dnd +mouseshape +spell +xim
-ebcdic +mouse_dec +startuptime -xpm
+emacs_tags -mouse_gpm +statusline +xsmp_interact
+eval -mouse_jsbterm -sun_workshop +xterm_clipboard
+ex_extra +mouse_netterm +syntax -xterm_save
+extra_search +mouse_sgr +tag_binary
system vimrc file: "$VIM/vimrc"
user vimrc file: "$HOME/.vimrc"
2nd user vimrc file: "~/.vim/vimrc"
user exrc file: "$HOME/.exrc"
system gvimrc file: "$VIM/gvimrc"
user gvimrc file: "$HOME/.gvimrc"
2nd user gvimrc file: "~/.vim/gvimrc"
defaults file: "$VIMRUNTIME/defaults.vim"
system menu file: "$VIMRUNTIME/menu.vim"
fall-back for $VIM: "/usr/local/share/vim"
Compilation: gcc -c -I. -Iproto -DHAVE_CONFIG_H -DFEAT_GUI_GTK -pthread -I/usr/include/gtk-2.0 -I/usr/lib/x86_64-linux-gnu/gtk-2.0/include -I/usr/include/gio-unix-2.0/ -I/usr/include/cairo -I/usr/include/pango-1.0 -I/usr/include/atk-1.0 -I/usr/include/cairo -I/usr/include/pixman-1 -I/usr/include/gdk-pixbuf-2.0 -I/usr/include/libpng16 -I/usr/include/pango-1.0 -I/usr/include/harfbuzz -I/usr/include/pango-1.0 -I/usr/include/glib-2.0 -I/usr/lib/x86_64-linux-gnu/glib-2.0/include -I/usr/include/freetype2 -I/usr/include/libpng16 -I/usr/include/freetype2 -I/usr/include/libpng16 -g -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1
Linking: gcc -L/usr/local/lib -Wl,--as-needed -o vim -lgtk-x11-2.0 -lgdk-x11-2.0 -lpangocairo-1.0 -latk-1.0 -lcairo -lgdk_pixbuf-2.0 -lgio-2.0 -lpangoft2-1.0 -lpango-1.0 -lgobject-2.0 -lglib-2.0 -lfontconfig -lfreetype -lXt -lX11 -lSM -lICE -lm -ltinfo -ldl
- OS: Ubuntu 18.04
- Terminal: GNOME Terminal
Additional context
I've done some tracing to find out where the crash occurs. The two places that stand out the most are getwinvar() in src/evalvars.cand find_win_by_nr() in src/evalwindow.c.
When invoked with off = 1 (as through a call to gettabwinvar()), the following code:
if (off == 1) tp = find_tabpage((int)tv_get_number_chk(&argvars[0], NULL)); else tp = curtab; win = find_win_by_nr(&argvars[off], tp);
Sets tp to NULL, since {tabnr} doesn't correspond to an existing tabpage; that NULL is passed into find_win_by_nr, which fails to find a matching window in its FOR_ALL_WINDOWS_IN_TAB loop, and enters the following block:
if (nr >= LOWEST_WIN_ID) { #ifdef FEAT_PROP_POPUP // check tab-local popup windows for (wp = tp->tp_first_popupwin; wp != NULL; wp = wp->w_next) if (wp->w_id == nr) return wp; // check global popup windows for (wp = first_popupwin; wp != NULL; wp = wp->w_next) if (wp->w_id == nr) return wp; #endif
Which dereferences the NULL tp inside of the first for loop, causing a segmentation fault.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
John Little
Jan 14, 2020, 3:53:13 AM1/14/20
to vim_dev
I reproduced this, and noticed that the stock Ubuntu version did not, so bisected to find the first bad commit is
9c27b1c6d140ca824a78654c1cb70a43a69b4ec6
Date: Sun May 26 18:48:13 2019 +0200
patch 8.1.1400: using global pointer for tab-local popups is clumsy
Problem: Using global pointer for tab-local popups is clumsy.
Solution: Use the pointer in tabpage_T.
Problem: Using global pointer for tab-local popups is clumsy.
Solution: Use the pointer in tabpage_T.
0 new messages