Skip to content

TUI heap-buffer-overflow with :redrawtabline in VimResized autocommand #20692

New issue
New issue
Closed
#20760
Closed
TUI heap-buffer-overflow with :redrawtabline in VimResized autocommand#20692
#20760
Labels
bug-crashissue reporting a crash or segfaultbug-regressionwrong behavior that was introduced in a previous commit (please bisect)eventsevents, autocommandshas:backtraceissue contains a stacktrace/ASAN loghas:bisectedissue has been tracked to a specific commithas:reproissue contains minimal reproducing stepsstatuslinetabline, winbar, statuscolumntuitermcodes, terminfo, termcapui
Milestone
0.9
@zeertzjq

Description

@zeertzjq
zeertzjq
opened on Oct 17, 2022

Neovim version (nvim -v)

v0.9.0-dev-112-g8617101b6

Vim (not Nvim) behaves the same?

No

Operating system/version

Arch Linux

Terminal name/version

kitty 0.26.3

$TERM environment variable

xterm-kitty

Installation

build from repo

How to reproduce the issue

  1. Run nvim --clean
  2. Run :tabnew
  3. Run :autocmd VimResized * redrawtabline
  4. Increase the size of the terminal window

Expected behavior

No crash

Actual behavior

heap-buffer-overflow

=================================================================
==11694==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x620000002ed8 at pc 0x55ce623f55f7 bp 0x7f2b01dfd7c0 sp 0x7f2b01dfd7b8
WRITE of size 1 at 0x620000002ed8 thread T1
    #0 0x55ce623f55f6 in clear_region **/src/nvim/ugrid.c:85:5
    #1 0x55ce623f592c in ugrid_clear_chunk **/src/nvim/ugrid.c:47:3
    #2 0x55ce623c99ea in tui_raw_line **/src/nvim/tui/tui.c:1509:5
    #3 0x55ce62431f45 in ui_bridge_raw_line_event **/src/nvim/ui_bridge.c:159:3
    #4 0x55ce61558df0 in multiqueue_process_events **/src/nvim/event/multiqueue.c:153:7
    #5 0x55ce6155300d in loop_poll_events **/src/nvim/event/loop.c:85:3
    #6 0x55ce623cc568 in tui_main **/src/nvim/tui/tui.c:507:5
    #7 0x55ce6242ba41 in ui_thread_run **/src/nvim/ui_bridge.c:106:3
    #8 0x7f2b0455d8fc  (/usr/lib/libc.so.6+0x868fc) (BuildId: 1e94beb079e278ac4f2c8bce1f53091548ea1584)
    #9 0x7f2b045dfa5f  (/usr/lib/libc.so.6+0x108a5f) (BuildId: 1e94beb079e278ac4f2c8bce1f53091548ea1584)

0x620000002ed8 is located 0 bytes to the right of 3672-byte region [0x620000002080,0x620000002ed8)
allocated by thread T1 here:
    #0 0x55ce60da1fc1 in __interceptor_calloc (**/build/bin/nvim+0xcebfc1) (BuildId: c5b8214eeb5704c89f006bed2a0d7cf89d5abc4d)
    #1 0x55ce61b2df66 in xcalloc **/src/nvim/memory.c:142:15
    #2 0x55ce623f4d49 in ugrid_resize **/src/nvim/ugrid.c:33:22
    #3 0x55ce623bcb4c in tui_grid_resize **/src/nvim/tui/tui.c:1019:3
    #4 0x55ce6242c639 in ui_bridge_grid_resize_event **/build/src/nvim/auto/ui_events_bridge.generated.h:173:3
    #5 0x55ce61558df0 in multiqueue_process_events **/src/nvim/event/multiqueue.c:153:7
    #6 0x55ce6155300d in loop_poll_events **/src/nvim/event/loop.c:85:3
    #7 0x55ce623cc568 in tui_main **/src/nvim/tui/tui.c:507:5
    #8 0x55ce6242ba41 in ui_thread_run **/src/nvim/ui_bridge.c:106:3
    #9 0x7f2b0455d8fc  (/usr/lib/libc.so.6+0x868fc) (BuildId: 1e94beb079e278ac4f2c8bce1f53091548ea1584)

Thread T1 created by T0 here:
    #0 0x55ce60d15808 in __interceptor_pthread_create (**/build/bin/nvim+0xc5f808) (BuildId: c5b8214eeb5704c89f006bed2a0d7cf89d5abc4d)
    #1 0x55ce6274b079 in uv_thread_create_ex **/.deps/build/src/libuv/src/unix/thread.c:279:9
    #2 0x55ce6274af50 in uv_thread_create **/.deps/build/src/libuv/src/unix/thread.c:233:10
    #3 0x55ce62423964 in ui_bridge_attach **/src/nvim/ui_bridge.c:81:7
    #4 0x55ce623bc850 in tui_start **/src/nvim/tui/tui.c:180:10
    #5 0x55ce62415668 in ui_builtin_start **/src/nvim/ui.c:139:3
    #6 0x55ce61944c62 in main **/src/nvim/main.c:345:7
    #7 0x7f2b044fa28f  (/usr/lib/libc.so.6+0x2328f) (BuildId: 1e94beb079e278ac4f2c8bce1f53091548ea1584)

SUMMARY: AddressSanitizer: heap-buffer-overflow **/src/nvim/ugrid.c:85:5 in clear_region
Shadow bytes around the buggy address:
  0x0c407fff8580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff8590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff85a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff85b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff85c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c407fff85d0: 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa
  0x0c407fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c407fff8610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c407fff8620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11694==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug-crashissue reporting a crash or segfaultbug-regressionwrong behavior that was introduced in a previous commit (please bisect)eventsevents, autocommandshas:backtraceissue contains a stacktrace/ASAN loghas:bisectedissue has been tracked to a specific commithas:reproissue contains minimal reproducing stepsstatuslinetabline, winbar, statuscolumntuitermcodes, terminfo, termcapui

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions