lib/48876: Core dump in readline lib on attempted expansion

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: lib/48876: Core dump in readline lib on attempted expansion
From: Dmitriy.Grigoryev%icmanage.com@localhost
Date: Thu, 5 Jun 2014 20:05:00 +0000 (UTC)

>Number:         48876
>Category:       lib
>Synopsis:       Core dump in readline lib on attempted expansion
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jun 05 20:05:00 +0000 2014
>Originator:     Dmitriy Grigoryev
>Release:        libedit-20140213-3.1
>Organization:
icmanage
>Environment:
Linux anamay 3.7.10-1.28-desktop #1 SMP PREEMPT Mon Feb 3 14:11:15 UTC 2014 
(c9a2c6c) x86_64 x86_64 x86_64 GNU/Linux
>Description:
When custom autocomplete function being set, readline always fails with 
Segmentation fault (core dumped)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff660e94a in __strcmp_sse42 () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff660e94a in __strcmp_sse42 () from /lib64/libc.so.6
#1  0x000000000043c235 in fn_complete (el=0x6627b0, complet_func=0x40f9e6 
<_readline::complete_none(char const*, int)>,
    attempted_completion_function=0x40f98b <_readline::cli_rl_autocomplete(char 
const*, int, int)>, word_break=0x65b7b0 <break_chars> " \t\n\"\\'`@$><=;|&{(",
    special_prefixes=<optimized out>, app_func=app_func@entry=0x428070 
<_rl_completion_append_character_function>, query_items=100,
    completion_type=completion_type@entry=0x65ca08 <rl_completion_type>, 
over=over@entry=0x65ca88 <rl_attempted_completion_over>, 
point=point@entry=0x65cac4 <rl_point>,
    end=end@entry=0x65cac0 <rl_end>) at filecomplete.c:489
#2  0x000000000042af6a in rl_complete (ignore=ignore@entry=0, 
invoking_key=<optimized out>) at readline.c:1795
#3  0x000000000042afdb in _el_rl_complete (el=<optimized out>, ch=<optimized 
out>) at readline.c:1813
#4  0x00000000004320b0 in el_gets (el=0x6627b0, 
nread=nread@entry=0x7fffffffd9f4) at read.c:635
#5  0x0000000000428887 in readline (p=0x7fffffffda20 "My_Shell> ") at 
readline.c:427
#6  0x000000000040fc2d in _readline::cli_rl_enable () at cli.cpp:2801
#7  0x0000000000410d82 in main (argc=1, argv=0x7fffffffdcd8) at cli.cpp:3187
==

The problem is in filecomplete.c, function fn_complete, line 489.

Let's assume that my program has several allowable commands i.e. 'read', 
'write', 'quit', and only one allowable commands starts with 'q'.

In this case when I type letter 'q' in input and press <Tab> I expect readline 
to expand my input to the 'quit'.

My custom attempted_completion_function on getting 'q' returns an array 
'matches' which is structured as

matches[0] = "quit" 
matches[1] = 0
matches[2] = 0

Unfortunately, line 489 of filecomplete.c says:

        if (matches[2] == NULL && strcmp(matches[0], matches[1]) == 0) {

unfortunately matches[1] is surely NULL (hey, we have only one match! so only 
matches[0] actually holds a string) so this code will just crash with SIGSEGV 
each time.
>How-To-Repeat:
Have custom autocompletion function and try to expand an input which has only 
one match to expand into.
>Fix:
diff filecomplete.c filecomplete_orig.c 
489,491c489
<               if (matches[2] == NULL && (matches[1] == NULL ||
<                                         (strcmp(matches[0], matches[1])) == 
0) 
<                   ) {
---
>               if (matches[2] == NULL && strcmp(matches[0], matches[1]) == 0) {

Prev by Date: NetBSD Nightly Trouble Ticket Report
Next by Date: Re: kern/48813 (Use of ppp interface causes kernel panic)
Previous by Thread: bin/48875: possible ash backgrounding bug
Next by Thread: port-evbarm/48877: libffi package won't build on Raspberry Pi
Indexes:

Home | Main Index | Thread Index | Old Index