[patch] fixed "Floating point exception" in Vim-7.3a

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[patch] fixed "Floating point exception" in Vim-7.3a

Dominique Pellé
Hi

I can reproduce a crash "Floating point exception"
in Vim-7.3a (2245:1bac28a53fae) as follows:

$ cd /tmp
$ echo "set cryptmethod=1 undodir=/tmp undofile" > vimrc
$ rm -f foo .foo*
$ vim --noplugin -u vimrc -c 'call
feedkeys("ifoo\<esc>:X\<cr>foo\<cr>foo\<cr>:wq\<cr>")' foo
$ echo foo > foo

# Now file "foo" is non-encrypted but its undo file /tmp/%tmp%foo is encrypted.
# This causes a floating point exception when loading the undo file.

$ vim --noplugin -u vimrc foo
foo" 1L, 4CFloating point exception

Valgrind gives the following error:

==6971== Process terminating with default action of signal 8 (SIGFPE)
==6971==  Integer divide by zero at address 0x68C9A945
==6971==    at 0x805CDEE: bf_key_init (blowfish.c:428)
==6971==    by 0x80C6315: prepare_crypt_read (fileio.c:2955)
==6971==    by 0x81BF621: u_read_undo (undo.c:1506)
==6971==    by 0x80C5AC3: readfile (fileio.c:2590)
==6971==    by 0x80539C6: open_buffer (buffer.c:132)
==6971==    by 0x80EA049: create_windows (main.c:2545)
==6971==    by 0x80E7B03: main (main.c:804)

blowfish.c:

  405     void
  406 bf_key_init(password)
  407     char_u *password;
  408 {
  409     int      i, j, keypos = 0;
  410     UINT32_T val, data_l, data_r;
  411     char_u   *key;
  412     int      keylen;
  413
  414     key = sha256_key(password);
  415     keylen = (int)STRLEN(key);
  416     for (i = 0; i < 256; ++i)
  417     {
  418         sbx[0][i] = sbi[0][i];
  419         sbx[1][i] = sbi[1][i];
  420         sbx[2][i] = sbi[2][i];
  421         sbx[3][i] = sbi[3][i];
  422     }
  423
  424     for (i = 0; i < 18; ++i)
  425     {
  426         val = 0;
  427         for (j = 0; j < 4; ++j)
!!428             val = (val << 8) | key[keypos++ % keylen];
  429         pax[i] = ipa[i] ^ val;
  430     }

keylen is 0 so division by 0 happens at line 428.

Attached patch fixes it.

Cheers
-- Dominique

--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

fixed-floating_point_exception-undo.c-7.3a.patch (718 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [patch] fixed "Floating point exception" in Vim-7.3a

Bram Moolenaar

Dominique Pelle wrote:

> I can reproduce a crash "Floating point exception"
> in Vim-7.3a (2245:1bac28a53fae) as follows:
>
> $ cd /tmp
> $ echo "set cryptmethod=1 undodir=/tmp undofile" > vimrc
> $ rm -f foo .foo*
> $ vim --noplugin -u vimrc -c 'call
> feedkeys("ifoo\<esc>:X\<cr>foo\<cr>foo\<cr>:wq\<cr>")' foo
> $ echo foo > foo
>
> # Now file "foo" is non-encrypted but its undo file /tmp/%tmp%foo is encrypted.
> # This causes a floating point exception when loading the undo file.
>
> $ vim --noplugin -u vimrc foo
> foo" 1L, 4CFloating point exception
>
> Valgrind gives the following error:
>
> ==6971== Process terminating with default action of signal 8 (SIGFPE)
> ==6971==  Integer divide by zero at address 0x68C9A945
> ==6971==    at 0x805CDEE: bf_key_init (blowfish.c:428)
> ==6971==    by 0x80C6315: prepare_crypt_read (fileio.c:2955)
> ==6971==    by 0x81BF621: u_read_undo (undo.c:1506)
> ==6971==    by 0x80C5AC3: readfile (fileio.c:2590)
> ==6971==    by 0x80539C6: open_buffer (buffer.c:132)
> ==6971==    by 0x80EA049: create_windows (main.c:2545)
> ==6971==    by 0x80E7B03: main (main.c:804)
>
> blowfish.c:
>
>   405     void
>   406 bf_key_init(password)
>   407     char_u *password;
>   408 {
>   409     int      i, j, keypos = 0;
>   410     UINT32_T val, data_l, data_r;
>   411     char_u   *key;
>   412     int      keylen;
>   413
>   414     key = sha256_key(password);
>   415     keylen = (int)STRLEN(key);
>   416     for (i = 0; i < 256; ++i)
>   417     {
>   418         sbx[0][i] = sbi[0][i];
>   419         sbx[1][i] = sbi[1][i];
>   420         sbx[2][i] = sbi[2][i];
>   421         sbx[3][i] = sbi[3][i];
>   422     }
>   423
>   424     for (i = 0; i < 18; ++i)
>   425     {
>   426         val = 0;
>   427         for (j = 0; j < 4; ++j)
> !!428             val = (val << 8) | key[keypos++ % keylen];
>   429         pax[i] = ipa[i] ^ val;
>   430     }
>
> keylen is 0 so division by 0 happens at line 428.
>
> Attached patch fixes it.

Thanks.  I'll also add a check in bf_key_init() for an empty key, it's
better to give an error message than crashing.

--
hundred-and-one symptoms of being an internet addict:
165. You have a web page burned into your glasses

 /// Bram Moolenaar -- [hidden email] -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\        download, build and distribute -- http://www.A-A-P.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php