amd64/101248: vi(1) can crash in ncurses(3) on amd64

Yar Tikhiy yar at comp.chem.msu.su
Wed Aug 2 09:00:29 UTC 2006 

>Number:         101248
>Category:       amd64
>Synopsis:       vi(1) can crash in ncurses(3) on amd64
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-amd64
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 02 09:00:28 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator:     Yar Tikhiy
>Release:        FreeBSD 7.0-CURRENT amd64
>Organization:
None
>Environment:
System: FreeBSD sledge.freebsd.org 7.0-CURRENT FreeBSD 7.0-CURRENT #741: Tue Aug 1 14:17:00 UTC 2006 root at sledge.freebsd.org:/h/src/sys/amd64/compile/SLEDGE amd64

>Description:
	If a +N command line option is given to vi(1) on amd64,
	where N is greater than the actual number of lines in the
	file to edit, vi(1) will crash on signal 11 reproducably.
	The stack trace indicates that the crash happened in a
	ncurses(3) function, but it isn't evident yet where the
	bug itself lurks (vi may pass bogus data to ncurses.)

	The problem won't reproduce on ia64 or i386.

>How-To-Repeat:
	In the following typescript, vi(1) was built with debugging symbols.

-bash-2.05b$ yes | head -100 > 100.txt
-bash-2.05b$ ./nvi +101 100.txt
Segmentation fault: 11 (core dumped)
-bash-2.05b$ gdb nvi nvi.core
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...
Core was generated by `nvi'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libncurses.so.6...done.
Loaded symbols for /lib/libncurses.so.6
Reading symbols from /lib/libc.so.7...done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0  0x00000008006bc1f8 in tputs () from /lib/libncurses.so.6
(gdb) where
#0  0x00000008006bc1f8 in tputs () from /lib/libncurses.so.6
#1  0x0000000000405223 in cl_screen (sp=0x800e72000, flags=1)
    at /h/scratch/yar/src/usr.bin/vi/../../contrib/nvi/cl/cl_screen.c:114
#2  0x0000000000429f20 in ex_init (sp=0x800e72000) at /h/scratch/yar/src/usr.bin/vi/../../contrib/nvi/ex/ex_util.c:164
#3  0x000000000043bf77 in vs_msg (sp=0x800e72000, mtype=M_ERR,
    line=0x800e12400 "-c option, 1: Illegal address: only 100 lines in the file\n", len=58)
    at /h/scratch/yar/src/usr.bin/vi/../../contrib/nvi/vi/vs_msg.c:287
#4  0x000000000040d7ec in msgq (sp=0x800e72000, mt=M_ERR, fmt=0x44432c "Illegal address: only %lu lines in the file")
    at /h/scratch/yar/src/usr.bin/vi/../../contrib/nvi/common/msg.c:345
#5  0x000000000041492d in ex_badaddr (sp=0x800e72000, cp=0x1, ba=4294967295, nret=6)
    at /h/scratch/yar/src/usr.bin/vi/../../contrib/nvi/ex/ex.c:2324
#6  0x0000000000417f28 in ex_cmd (sp=0x800e72000) at /h/scratch/yar/src/usr.bin/vi/../../contrib/nvi/ex/ex.c:1065
#7  0x000000000040c4a5 in editor (gp=0x800e01000, argc=3, argv=0x7fffffffebf0)
    at /h/scratch/yar/src/usr.bin/vi/../../contrib/nvi/common/main.c:398
#8  0x0000000000404663 in main (argc=3, argv=0x7fffffffebe0)
    at /h/scratch/yar/src/usr.bin/vi/../../contrib/nvi/cl/cl_main.c:148
(gdb) q

>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-amd64 mailing list