Use-after-free when sourcing specific tigrc from binding

[krobelus]

The latest commit this happens on is 26ab51d. It does not happen on the following commit (5bb948f) but that one only touched default bindings, so I don't think it fixed the root of the problem. Also none of the following commits up to master (70ac221) look like they would fix this either.

So far I managed to reduce the ~/min.tigrc that exposes the issue to this:

bind generic a :source ~/min.tigrc
bind generic x :
bind generic x :
bind generic x :
bind generic x :
bind generic x !git
bind generic x !git
bind generic x !git rebase --continue
bind generic x !git rebase --skip
bind generic x !git
bind generic x !git
bind generic x !git

Invocation:

$ CFLAGS='-g -DDEBUG -O0' make clean all-address-sanitizer
$ TIG_NO_DISPLAY= TIGRC_USER=$HOME/min.tigrc ./src/tig

Now type a and hit Enter. It crashes on my system:

=================================================================
==1216069==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000000d41 at pc 0x55602ad8bee3 bp 0x7ffccebdfd60 sp 0x7ffccebdfd50
READ of size 1 at 0x619000000d41 thread T0
    #0 0x55602ad8bee2 in exec_run_request src/prompt.c:1135
    #1 0x55602ad571d5 in open_run_request src/tig.c:143
    #2 0x55602ad57213 in view_driver src/tig.c:159
    #3 0x55602ad5aa16 in main src/tig.c:862
    #4 0x7fca653d4022 in __libc_start_main (/usr/lib/libc.so.6+0x27022)
    #5 0x55602ad55b5d in _start (/home/johannes/git/tig/src/tig+0x34b5d)

0x619000000d41 is located 705 bytes inside of 1152-byte region [0x619000000a80,0x619000000f00)
freed by thread T0 here:
    #0 0x7fca656f4fa0 in __interceptor_realloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:163
    #1 0x55602ad5fdbf in chunk_allocator src/util.c:447
    #2 0x55602ad716cf in realloc_run_requests src/keys.c:450
    #3 0x55602ad71e9f in add_run_request src/keys.c:498
    #4 0x55602ad7d357 in option_bind_command src/options.c:885
    #5 0x55602ad7d63a in set_option src/options.c:928
    #6 0x55602ad7d939 in read_option src/options.c:968
    #7 0x55602ad69cde in io_load_file src/io.c:680
    #8 0x55602ad69e08 in io_load_span src/io.c:694
    #9 0x55602ad7ddf9 in load_option_file src/options.c:1004
    #10 0x55602ad7d535 in option_source_command src/options.c:909
    #11 0x55602ad7d664 in set_option src/options.c:931
    #12 0x55602ad8b5cd in run_prompt_command src/prompt.c:1060
    #13 0x55602ad8bb50 in exec_run_request src/prompt.c:1109
    #14 0x55602ad571d5 in open_run_request src/tig.c:143
    #15 0x55602ad57213 in view_driver src/tig.c:159
    #16 0x55602ad5aa16 in main src/tig.c:862
    #17 0x7fca653d4022 in __libc_start_main (/usr/lib/libc.so.6+0x27022)

previously allocated by thread T0 here:
    #0 0x7fca656f4fa0 in __interceptor_realloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:163
    #1 0x55602ad5fdbf in chunk_allocator src/util.c:447
    #2 0x55602ad716cf in realloc_run_requests src/keys.c:450
    #3 0x55602ad71e9f in add_run_request src/keys.c:498
    #4 0x55602ad7d357 in option_bind_command src/options.c:885
    #5 0x55602ad7d63a in set_option src/options.c:928
    #6 0x55602ad7d939 in read_option src/options.c:968
    #7 0x55602ad69cde in io_load_file src/io.c:680
    #8 0x55602ad69e08 in io_load_span src/io.c:694
    #9 0x55602ad7ddf9 in load_option_file src/options.c:1004
    #10 0x55602ad7e340 in load_options src/options.c:1041
    #11 0x55602ad5a501 in main src/tig.c:829
    #12 0x7fca653d4022 in __libc_start_main (/usr/lib/libc.so.6+0x27022)

SUMMARY: AddressSanitizer: heap-use-after-free src/prompt.c:1135 in exec_run_request
Shadow bytes around the buggy address:
  0x0c327fff8150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff8190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c327fff81a0: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c327fff81b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff81c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff81d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c327fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff81f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1216069==ABORTING