Loading ...
Sorry, an error occurred while loading the content.

[patch] fixed "Floating point exception" in Vim-7.3a

Expand Messages
  • Dominique PellĂ©
    Hi I can reproduce a crash Floating point exception in Vim-7.3a (2245:1bac28a53fae) as follows: $ cd /tmp $ echo set cryptmethod=1 undodir=/tmp undofile
    Message 1 of 2 , Jun 5, 2010
    • 0 Attachment
      Hi

      I can reproduce a crash "Floating point exception"
      in Vim-7.3a (2245:1bac28a53fae) as follows:

      $ cd /tmp
      $ echo "set cryptmethod=1 undodir=/tmp undofile" > vimrc
      $ rm -f foo .foo*
      $ vim --noplugin -u vimrc -c 'call
      feedkeys("ifoo\<esc>:X\<cr>foo\<cr>foo\<cr>:wq\<cr>")' foo
      $ echo foo > foo

      # Now file "foo" is non-encrypted but its undo file /tmp/%tmp%foo is encrypted.
      # This causes a floating point exception when loading the undo file.

      $ vim --noplugin -u vimrc foo
      foo" 1L, 4CFloating point exception

      Valgrind gives the following error:

      ==6971== Process terminating with default action of signal 8 (SIGFPE)
      ==6971== Integer divide by zero at address 0x68C9A945
      ==6971== at 0x805CDEE: bf_key_init (blowfish.c:428)
      ==6971== by 0x80C6315: prepare_crypt_read (fileio.c:2955)
      ==6971== by 0x81BF621: u_read_undo (undo.c:1506)
      ==6971== by 0x80C5AC3: readfile (fileio.c:2590)
      ==6971== by 0x80539C6: open_buffer (buffer.c:132)
      ==6971== by 0x80EA049: create_windows (main.c:2545)
      ==6971== by 0x80E7B03: main (main.c:804)

      blowfish.c:

      405 void
      406 bf_key_init(password)
      407 char_u *password;
      408 {
      409 int i, j, keypos = 0;
      410 UINT32_T val, data_l, data_r;
      411 char_u *key;
      412 int keylen;
      413
      414 key = sha256_key(password);
      415 keylen = (int)STRLEN(key);
      416 for (i = 0; i < 256; ++i)
      417 {
      418 sbx[0][i] = sbi[0][i];
      419 sbx[1][i] = sbi[1][i];
      420 sbx[2][i] = sbi[2][i];
      421 sbx[3][i] = sbi[3][i];
      422 }
      423
      424 for (i = 0; i < 18; ++i)
      425 {
      426 val = 0;
      427 for (j = 0; j < 4; ++j)
      !!428 val = (val << 8) | key[keypos++ % keylen];
      429 pax[i] = ipa[i] ^ val;
      430 }

      keylen is 0 so division by 0 happens at line 428.

      Attached patch fixes it.

      Cheers
      -- Dominique

      --
      You received this message from the "vim_dev" maillist.
      Do not top-post! Type your reply below the text you are replying to.
      For more information, visit http://www.vim.org/maillist.php
    • Bram Moolenaar
      ... Thanks. I ll also add a check in bf_key_init() for an empty key, it s better to give an error message than crashing. -- hundred-and-one symptoms of being
      Message 2 of 2 , Jun 6, 2010
      • 0 Attachment
        Dominique Pelle wrote:

        > I can reproduce a crash "Floating point exception"
        > in Vim-7.3a (2245:1bac28a53fae) as follows:
        >
        > $ cd /tmp
        > $ echo "set cryptmethod=1 undodir=/tmp undofile" > vimrc
        > $ rm -f foo .foo*
        > $ vim --noplugin -u vimrc -c 'call
        > feedkeys("ifoo\<esc>:X\<cr>foo\<cr>foo\<cr>:wq\<cr>")' foo
        > $ echo foo > foo
        >
        > # Now file "foo" is non-encrypted but its undo file /tmp/%tmp%foo is encrypted.
        > # This causes a floating point exception when loading the undo file.
        >
        > $ vim --noplugin -u vimrc foo
        > foo" 1L, 4CFloating point exception
        >
        > Valgrind gives the following error:
        >
        > ==6971== Process terminating with default action of signal 8 (SIGFPE)
        > ==6971== Integer divide by zero at address 0x68C9A945
        > ==6971== at 0x805CDEE: bf_key_init (blowfish.c:428)
        > ==6971== by 0x80C6315: prepare_crypt_read (fileio.c:2955)
        > ==6971== by 0x81BF621: u_read_undo (undo.c:1506)
        > ==6971== by 0x80C5AC3: readfile (fileio.c:2590)
        > ==6971== by 0x80539C6: open_buffer (buffer.c:132)
        > ==6971== by 0x80EA049: create_windows (main.c:2545)
        > ==6971== by 0x80E7B03: main (main.c:804)
        >
        > blowfish.c:
        >
        > 405 void
        > 406 bf_key_init(password)
        > 407 char_u *password;
        > 408 {
        > 409 int i, j, keypos = 0;
        > 410 UINT32_T val, data_l, data_r;
        > 411 char_u *key;
        > 412 int keylen;
        > 413
        > 414 key = sha256_key(password);
        > 415 keylen = (int)STRLEN(key);
        > 416 for (i = 0; i < 256; ++i)
        > 417 {
        > 418 sbx[0][i] = sbi[0][i];
        > 419 sbx[1][i] = sbi[1][i];
        > 420 sbx[2][i] = sbi[2][i];
        > 421 sbx[3][i] = sbi[3][i];
        > 422 }
        > 423
        > 424 for (i = 0; i < 18; ++i)
        > 425 {
        > 426 val = 0;
        > 427 for (j = 0; j < 4; ++j)
        > !!428 val = (val << 8) | key[keypos++ % keylen];
        > 429 pax[i] = ipa[i] ^ val;
        > 430 }
        >
        > keylen is 0 so division by 0 happens at line 428.
        >
        > Attached patch fixes it.

        Thanks. I'll also add a check in bf_key_init() for an empty key, it's
        better to give an error message than crashing.

        --
        hundred-and-one symptoms of being an internet addict:
        165. You have a web page burned into your glasses

        /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
        /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
        \\\ download, build and distribute -- http://www.A-A-P.org ///
        \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

        --
        You received this message from the "vim_dev" maillist.
        Do not top-post! Type your reply below the text you are replying to.
        For more information, visit http://www.vim.org/maillist.php
      Your message has been successfully submitted and would be delivered to recipients shortly.