NetBSD Problem Report #48876

From www@NetBSD.org  Thu Jun  5 20:01:29 2014
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 88C78A64F3
	for <gnats-bugs@gnats.NetBSD.org>; Thu,  5 Jun 2014 20:01:29 +0000 (UTC)
Message-Id: <20140605200128.68CDFA64F3@mollari.NetBSD.org>
Date: Thu,  5 Jun 2014 20:01:28 +0000 (UTC)
From: Dmitriy.Grigoryev@icmanage.com
Reply-To: Dmitriy.Grigoryev@icmanage.com
To: gnats-bugs@NetBSD.org
Subject: Core dump in readline lib on attempted expansion
X-Send-Pr-Version: www-1.0

>Number:         48876
>Category:       lib
>Synopsis:       Core dump in readline lib on attempted expansion
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    lib-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jun 05 20:05:00 +0000 2014
>Closed-Date:    Thu Jun 25 05:39:58 +0000 2015
>Last-Modified:  Thu Jun 25 05:39:58 +0000 2015
>Originator:     Dmitriy Grigoryev
>Release:        libedit-20140213-3.1
>Organization:
icmanage
>Environment:
Linux anamay 3.7.10-1.28-desktop #1 SMP PREEMPT Mon Feb 3 14:11:15 UTC 2014 (c9a2c6c) x86_64 x86_64 x86_64 GNU/Linux
>Description:
When custom autocomplete function being set, readline always fails with Segmentation fault (core dumped)

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff660e94a in __strcmp_sse42 () from /lib64/libc.so.6
(gdb) bt
#0  0x00007ffff660e94a in __strcmp_sse42 () from /lib64/libc.so.6
#1  0x000000000043c235 in fn_complete (el=0x6627b0, complet_func=0x40f9e6 <_readline::complete_none(char const*, int)>,
    attempted_completion_function=0x40f98b <_readline::cli_rl_autocomplete(char const*, int, int)>, word_break=0x65b7b0 <break_chars> " \t\n\"\\'`@$><=;|&{(",
    special_prefixes=<optimized out>, app_func=app_func@entry=0x428070 <_rl_completion_append_character_function>, query_items=100,
    completion_type=completion_type@entry=0x65ca08 <rl_completion_type>, over=over@entry=0x65ca88 <rl_attempted_completion_over>, point=point@entry=0x65cac4 <rl_point>,
    end=end@entry=0x65cac0 <rl_end>) at filecomplete.c:489
#2  0x000000000042af6a in rl_complete (ignore=ignore@entry=0, invoking_key=<optimized out>) at readline.c:1795
#3  0x000000000042afdb in _el_rl_complete (el=<optimized out>, ch=<optimized out>) at readline.c:1813
#4  0x00000000004320b0 in el_gets (el=0x6627b0, nread=nread@entry=0x7fffffffd9f4) at read.c:635
#5  0x0000000000428887 in readline (p=0x7fffffffda20 "My_Shell> ") at readline.c:427
#6  0x000000000040fc2d in _readline::cli_rl_enable () at cli.cpp:2801
#7  0x0000000000410d82 in main (argc=1, argv=0x7fffffffdcd8) at cli.cpp:3187
==

The problem is in filecomplete.c, function fn_complete, line 489.

Let's assume that my program has several allowable commands i.e. 'read', 'write', 'quit', and only one allowable commands starts with 'q'.

In this case when I type letter 'q' in input and press <Tab> I expect readline to expand my input to the 'quit'.

My custom attempted_completion_function on getting 'q' returns an array 'matches' which is structured as

matches[0] = "quit" 
matches[1] = 0
matches[2] = 0

Unfortunately, line 489 of filecomplete.c says:

	if (matches[2] == NULL && strcmp(matches[0], matches[1]) == 0) {

unfortunately matches[1] is surely NULL (hey, we have only one match! so only matches[0] actually holds a string) so this code will just crash with SIGSEGV each time.
>How-To-Repeat:
Have custom autocompletion function and try to expand an input which has only one match to expand into.
>Fix:
diff filecomplete.c filecomplete_orig.c 
489,491c489
<               if (matches[2] == NULL && (matches[1] == NULL ||
<                                         (strcmp(matches[0], matches[1])) == 0) 
<                   ) {
---
>               if (matches[2] == NULL && strcmp(matches[0], matches[1]) == 0) {

>Release-Note:

>Audit-Trail:
From: "Christos Zoulas" <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/48876 CVS commit: src/lib/libedit
Date: Thu, 5 Jun 2014 18:07:42 -0400

 Module Name:	src
 Committed By:	christos
 Date:		Thu Jun  5 22:07:42 UTC 2014

 Modified Files:
 	src/lib/libedit: filecomplete.c

 Log Message:
 PR/48876: Dmitriy Grigoryev: Core dump in readline lib on attempted expansion
 Make sure we have 2 matches before calling strcmp().


 To generate a diff of this commit:
 cvs rdiff -u -r1.31 -r1.32 src/lib/libedit/filecomplete.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->feedback
State-Changed-By: wiz@NetBSD.org
State-Changed-When: Thu, 05 Jun 2014 22:23:17 +0000
State-Changed-Why:
Christos committed a fix -- does it work for you too?


State-Changed-From-To: feedback->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Thu, 25 Jun 2015 05:39:58 +0000
State-Changed-Why:
Feedback mail bounced; assume the fix worked.


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.