Bug#964358: libedit2: Pasting a very large line crashes libedit

Ángel bugs at debian.16bits.net
Wed Aug 12 01:46:33 BST 2020 

severity 964358 grave
affects 964358 php-cli

Package: libedit2
Version: 3.1-20181209-1

#964358 crash is also affecting packaged programs that link to libedit,
such as php-cli.



Steps to reproduce:
 php -r 'echo str_repeat("a", 2000);'
 Copy the output

 Run php -a
 Paste the above

It seems to differ based on the terminal size, with 100 columns it seems to be about 1500 characters. Enlarging a few columns it may move to 1800, etc.
Running under gdb, the limit seems to increase, too, but it's nevertheless reproducible.

Using the symbols from php7.3-cli-dbgsym and libedit2-dbgsym:
(...)
Program received signal SIGSEGV, Segmentation fault.
re__copy_and_pad (width=100, src=<optimized out>, 
    dst=0x4 <error: Cannot access memory at address 0x4>) at refresh.c:1018
1018	refresh.c: No such file or directory.
(gdb) bt
#0  re__copy_and_pad (width=100, src=<optimized out>, 
    dst=0x4 <error: Cannot access memory at address 0x4>) at refresh.c:1018
#1  re_fastputc (el=el at entry=0x555555b1a210, c=c at entry=97) at refresh.c:1129
#2  0x00007ffff4aac353 in re_fastaddc (el=el at entry=0x555555b1a210) at refresh.c:1171
#3  0x00007ffff4aa3d02 in ed_insert (el=0x555555b1a210, c=97) at common.c:96
#4  0x00007ffff4aaa792 in el_wgets (el=el at entry=0x555555b1a210, nread=nread at entry=0x7fffffffcbc4)
    at read.c:538
#5  0x00007ffff4aa5dc3 in el_gets (el=0x555555b1a210, nread=nread at entry=0x7fffffffcbc4) at eln.c:75
#6  0x00007ffff4ab84f6 in readline (p=0x7ffff507b018 "php > ") at readline.c:453
#7  0x00007ffff523481a in ?? () from /usr/lib/php/20180731/readline.so
#8  0x0000555555885916 in do_cli (argc=2, argv=0x555555a12c90) at ./sapi/cli/php_cli.c:995
#9  0x0000555555661b1b in main (argc=2, argv=0x555555a12c90) at ./sapi/cli/php_cli.c:1393


There is a similar (more related to autocompletion) libedit crash
mentioned in openbsd-tech:
https://marc.info/?l=openbsd-tech&m=156463894328592&w=2
which points to NetBSD
https://github.com/NetBSD/src/commit/b91b3c48e0edb116bd797586430cb426b575d717
initializating a number of buffers using calloc. That one references
https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=54399
However, PR54399 is a crash on history functions, unrelated to the
above. The other calloc() could be fixing this problem, though.

Updating libedit2 from 3.1-20181209-1 (buster) to 3.1-20191231-1 (bullseye) I can no longer reproduce the crash.

More information about the Pkg-llvm-team mailing list