[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Nano-devel] [PATCH/RFC] fix crash when using certain keybindings
|
From: |
Mike Frysinger |
|
Subject: |
[Nano-devel] [PATCH/RFC] fix crash when using certain keybindings |
|
Date: |
Fri, 04 Apr 2014 16:24:23 -0400 |
|
User-agent: |
KMail/4.12.3 (Linux/3.13.0; KDE/4.12.3; x86_64; ; ) |
if you build nano with -fsanitize=address and then do something simple like:
- run ./src/nano -I
- hit CTRL+R to insert a file
- hit enter at the file prompt
- see use-after-free crash!
this is because in the do_input func, it grabs a func handle, reloads
shortcuts, and then tries to use the handle it grabbed earlier. see the >>>
sections for my annotations of the problem.
...
if (have_shortcut) {
switch (input) {
/* Handle the normal edit window shortcuts, setting
* ran_func to TRUE if we try to run their associated
* functions and setting finished to TRUE to indicate
* that we're done after running or trying to run their
* associated functions. */
default:
/* If the function associated with this shortcut is
* cutting or copying text, indicate this. */
if (s->scfunc == do_cut_text_void
#ifndef NANO_TINY
|| s->scfunc == do_copy_text || s->scfunc ==
do_cut_till_end
#endif
)
cut_copy = TRUE;
if (s->scfunc != 0) {
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Get a handle to an active func.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
const subnfunc *f = sctofunc((sc *) s);
*ran_func = TRUE;
if (ISSET(VIEW_MODE) && f && !f->viewok)
print_view_warning();
else {
#ifndef NANO_TINY
if (s->scfunc == do_toggle_void)
do_toggle(s->toggle);
else {
#else
{
#endif
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Trigger an operation that reloads shortcuts
// which in turn frees all existing sctofunc's
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
s->scfunc();
#ifndef DISABLE_COLOR
/* The command might have re-initialized
shortcuts
* in which case f is now invalid. Let's
reload. */
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
// Use f which now points to freed memory!
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
if (f && !f->viewok && openfile->syntax != NULL
&& openfile->syntax->nmultis > 0) {
reset_multis(openfile->current, FALSE);
}
#endif
...
the patch below fixes things, but i can't help feel that the system is still
pretty fragile ...
--- a/src/nano.c
+++ b/src/nano.c
@@ -1675,6 +1675,9 @@ int do_input(bool *meta_key, bool *func_key, bool
*s_or_t, bool
#endif
s->scfunc();
#ifndef DISABLE_COLOR
+ /* The command might have re-initialized
shortcuts
+ * in which case f is now invalid. Let's
reload. */
+ f = sctofunc((sc *) s);
if (f && !f->viewok && openfile->syntax != NULL
&& openfile->syntax->nmultis > 0) {
reset_multis(openfile->current, FALSE);
-mike
signature.asc
Description: This is a digitally signed message part.
- [Nano-devel] [PATCH/RFC] fix crash when using certain keybindings,
Mike Frysinger <=