Apr 23 -current snapshot amd64
While writing an email vi(1) crashed with segmentation fault.
When ^W (WERASE) is hit in insert mode it's possible that the line
buffer is accessed out of bounds. If 'max' == 0 and 'tp->cno' == 1 the
'tp->cno' value is first reduced by one and then 'tp->lb' is accessed at
'tp->cno' - 1.
Index: vi/vi/v_txt.c
===================================================================
RCS file: /cvs/src/usr.bin/vi/vi/v_txt.c,v
retrieving revision 1.22
diff -u -p -r1.22 v_txt.c
--- vi/vi/v_txt.c 27 Oct 2009 23:59:48 -0000 1.22
+++ vi/vi/v_txt.c 7 May 2013 15:53:29 -0000
@@ -1120,12 +1120,12 @@ leftmargin: tp->lb[tp->cno - 1] = ' ';
*/
if (LF_ISSET(TXT_TTYWERASE))
while (tp->cno > max) {
+ if (isblank(tp->lb[tp->cno - 1]))
+ break;
--tp->cno;
++tp->owrite;
if (FL_ISSET(is_flags, IS_RUNNING))
tp->lb[tp->cno] = ' ';
- if (isblank(tp->lb[tp->cno - 1]))
- break;
}
else {
if (LF_ISSET(TXT_ALTWERASE)) {
@@ -1139,13 +1139,13 @@ leftmargin: tp->lb[tp->cno - 1] = ' ';
if (tp->cno > max)
tmp = inword(tp->lb[tp->cno - 1]);
while (tp->cno > max) {
+ if (tmp != inword(tp->lb[tp->cno - 1])
+ || isblank(tp->lb[tp->cno - 1]))
+ break;
--tp->cno;
++tp->owrite;
if (FL_ISSET(is_flags, IS_RUNNING))
tp->lb[tp->cno] = ' ';
- if (tmp != inword(tp->lb[tp->cno - 1])
- || isblank(tp->lb[tp->cno - 1]))
- break;
}
}
