From d43268fbebab0989015639c4bdc9e31aa137b06a Mon Sep 17 00:00:00 2001 From: Maxime Coste Date: Tue, 20 Jun 2023 13:09:03 +1000 Subject: [PATCH] Fix invalid access of display line end When a line only contains non-range atoms we can end-up accessing past the end atom. Add a test that shows the issue when run with valgrind, it is unfortunately quite hard to trigger a crash because the invalidly accessed byte usually leads to the correct code path being taken (when != DisplayAtom::Range) so we have only 1 in 255 chance of triggerring a crash. Fixes #4927 --- src/highlighters.cc | 2 +- test/regression/4927-crash-jumping-to-eol/cmd | 1 + test/regression/4927-crash-jumping-to-eol/in | 4 ++++ test/regression/4927-crash-jumping-to-eol/rc | 3 +++ 4 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 test/regression/4927-crash-jumping-to-eol/cmd create mode 100644 test/regression/4927-crash-jumping-to-eol/in create mode 100644 test/regression/4927-crash-jumping-to-eol/rc diff --git a/src/highlighters.cc b/src/highlighters.cc index ee772469..65f801cb 100644 --- a/src/highlighters.cc +++ b/src/highlighters.cc @@ -1820,7 +1820,7 @@ struct ForwardHighlighterApplier { auto& line = *cur_line; auto first = std::find_if(cur_atom, line.end(), [&](auto&& atom) { return atom.has_buffer_range() and atom.end() > begin; }); - if (first->type() == DisplayAtom::Range and first->begin() < begin) + if (first != line.end() and first->type() == DisplayAtom::Range and first->begin() < begin) first = ++line.split(first, begin); auto idx = first - line.begin(); diff --git a/test/regression/4927-crash-jumping-to-eol/cmd b/test/regression/4927-crash-jumping-to-eol/cmd new file mode 100644 index 00000000..9838b13c --- /dev/null +++ b/test/regression/4927-crash-jumping-to-eol/cmd @@ -0,0 +1 @@ + diff --git a/test/regression/4927-crash-jumping-to-eol/in b/test/regression/4927-crash-jumping-to-eol/in new file mode 100644 index 00000000..47a9f72b --- /dev/null +++ b/test/regression/4927-crash-jumping-to-eol/in @@ -0,0 +1,4 @@ +xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + + + diff --git a/test/regression/4927-crash-jumping-to-eol/rc b/test/regression/4927-crash-jumping-to-eol/rc new file mode 100644 index 00000000..625de101 --- /dev/null +++ b/test/regression/4927-crash-jumping-to-eol/rc @@ -0,0 +1,3 @@ +add-highlighter global/ column 60 red +add-highlighter buffer/regions regions +add-highlighter buffer/regions/ default-region fill green