Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix a crash caused by integer underflow
index is unsigned, and could be zero, so 'index--' will underflow and
round to 0xffffffff, and cause problem in a later call to Expand_Series
I believe the idea of
if ((REBINT)index > i) index--;
is to move the index forward because gob being inserted were in PANE,
and they can't be there twice (Detach_Gob will remove them from the
current gob). So if they were not there, "index" shouldn't be changed.
This fixes a crash in the following script:
REBOL []
foo: make block! []
for i 0 15 1 [
txt: #"a" + i
append foo make gob! reduce/no-set [text: to string! txt]
]
g: make gob! []
append g foo
g/pane: next g/pane
With this stack trace:
zsx@touchsmart-arch:~/work/r3.git/make$ R3_ALWAYS_MALLOC=1 ./r3-view-linux test-insert-gob-crash.r
=================================================================
==24248==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000c8a8 at pc 0x522243 bp 0x7fff91ba7a60 sp 0x7fff91ba7a50
WRITE of size 8 at 0x60d00000c8a8 thread T0
#0 0x522242 in Insert_Gobs ../src/core/t-gob.c:230
#1 0x5242d6 in Set_GOB_Var ../src/core/t-gob.c:421
#2 0x5278ee in PD_Gob ../src/core/t-gob.c:713
#3 0x414cda in Next_Path ../src/core/c-do.c:399
#4 0x415c8c in Do_Path ../src/core/c-do.c:463
#5 0x41a018 in Do_Next ../src/core/c-do.c:928
#6 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#7 0x4a6eca in N_do ../src/core/n-control.c:524
#8 0x43e267 in Do_Native ../src/core/c-function.c:289
#9 0x419562 in Do_Next ../src/core/c-do.c:886
#10 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#11 0x4a755e in N_either ../src/core/n-control.c:598
#12 0x43e267 in Do_Native ../src/core/c-function.c:289
#13 0x419562 in Do_Next ../src/core/c-do.c:886
#14 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#15 0x4a755e in N_either ../src/core/n-control.c:598
#16 0x43e267 in Do_Native ../src/core/c-function.c:289
#17 0x419562 in Do_Next ../src/core/c-do.c:886
#18 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#19 0x4a755e in N_either ../src/core/n-control.c:598
#20 0x43e267 in Do_Native ../src/core/c-function.c:289
#21 0x419562 in Do_Next ../src/core/c-do.c:886
#22 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#23 0x43f8f8 in Do_Function ../src/core/c-function.c:415
#24 0x420b7d in Apply_Function ../src/core/c-do.c:1528
#25 0x42139c in Do_Sys_Func ../src/core/c-do.c:1588
#26 0x426f84 in Init_Mezz ../src/core/c-do.c:2320
#27 0x406bf1 in RL_Start ../src/core/a-lib.c:193
#28 0x5fecee in main ../src/os/host-main.c:235
#29 0x7facd0bf67ff in __libc_start_main (/usr/lib/libc.so.6+0x207ff)
#30 0x406008 in _start (/home/zsx/stuffs/work/r3.git/make/r3-view-linux+0x406008)
0x60d00000c8a8 is located 0 bytes to the right of 136-byte region [0x60d00000c820,0x60d00000c8a8)
allocated by thread T0 here:
#0 0x7facd26567a7 in malloc (/usr/lib/libasan.so.1+0x577a7)
#1 0x4999a7 in Make_Mem ../src/core/m-pools.c:125
#2 0x49b188 in Make_Series ../src/core/m-pools.c:413
#3 0x521929 in Insert_Gobs ../src/core/t-gob.c:208
#4 0x529717 in T_Gob ../src/core/t-gob.c:835
#5 0x43eb86 in Do_Act ../src/core/c-function.c:338
#6 0x43f82a in Do_Action ../src/core/c-function.c:396
#7 0x419562 in Do_Next ../src/core/c-do.c:886
#8 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#9 0x4a6eca in N_do ../src/core/n-control.c:524
#10 0x43e267 in Do_Native ../src/core/c-function.c:289
#11 0x419562 in Do_Next ../src/core/c-do.c:886
#12 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#13 0x4a755e in N_either ../src/core/n-control.c:598
#14 0x43e267 in Do_Native ../src/core/c-function.c:289
#15 0x419562 in Do_Next ../src/core/c-do.c:886
#16 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#17 0x4a755e in N_either ../src/core/n-control.c:598
#18 0x43e267 in Do_Native ../src/core/c-function.c:289
#19 0x419562 in Do_Next ../src/core/c-do.c:886
#20 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#21 0x4a755e in N_either ../src/core/n-control.c:598
#22 0x43e267 in Do_Native ../src/core/c-function.c:289
#23 0x419562 in Do_Next ../src/core/c-do.c:886
#24 0x41ad1d in Do_Blk ../src/core/c-do.c:1017
#25 0x43f8f8 in Do_Function ../src/core/c-function.c:415
#26 0x420b7d in Apply_Function ../src/core/c-do.c:1528
#27 0x42139c in Do_Sys_Func ../src/core/c-do.c:1588
#28 0x426f84 in Init_Mezz ../src/core/c-do.c:2320
#29 0x406bf1 in RL_Start ../src/core/a-lib.c:193
SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/core/t-gob.c:230 Insert_Gobs
Shadow bytes around the buggy address:
0x0c1a7fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1a7fff9900: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1a7fff9910: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa 00 00
0x0c1a7fff9920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c1a7fff9930: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1a7fff9940: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
0x0c1a7fff9950: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a7fff9960: 00 00 00 00 fa fa fa fa fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==24248==ABORTING- Loading branch information
