Bug 7256 - vi.c: insert_char accesses memory that may no longer be valid
Summary: vi.c: insert_char accesses memory that may no longer be valid
Status: RESOLVED FIXED
Alias: None
Product: Busybox
Classification: Unclassified
Component: Other (show other bugs)
Version: 1.22.x
Hardware: PC Linux
: P5 normal
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-01 17:22 UTC by Marko Mahnič
Modified: 2014-09-15 15:08 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marko Mahnič 2014-07-01 17:22:49 UTC 
1. the pointer sp points to p: sp = p;
2. stupid_insert inserts at p which may cause a reallocation of text
3. p is adjusted to the reallocated text
4. sp still points to the old location which is most likely invalid
5. sp is used in: strchr(")]}", *sp), showmatching(sp)

// line 1838
#if ENABLE_FEATURE_VI_SETOPTS
		// insert a char into text[]
		char *sp;		// "save p"
#endif

		if (c == 13)
			c = '\n';	// translate \r to \n
#if ENABLE_FEATURE_VI_SETOPTS
		sp = p;			// remember addr of insert
#endif
		p += 1 + stupid_insert(p, c);	// insert the char
#if ENABLE_FEATURE_VI_SETOPTS
		if (showmatch && strchr(")]}", *sp) != NULL) {
			showmatching(sp);
		}
Comment 1 Denys Vlasenko 2014-09-15 15:08:34 UTC 
Fixed in git, thanks!