gcc buffer overflow detected on vim startup

Wed, 10 Sep 2014 21:01:04 -0700 

I've been running a debug build of vim for a while, and while diagnosing a 
slowness problem noticed that it was much slower than the version I get with my 
distro (Kubuntu 14.04, 7.4.52), so I changed my compiler flags to add -O2 and 
recompiled.

The resulting executable aborted instantly:
*** buffer overflow detected ***: vim terminated
and splurges out a backtrace and about 300 lines of memory map.
The version of gcc is 4.8.2.

Getting a core dump, I see that gcc is doing a checked strcpy and aborting.  
This occurs at my line 874 of eval.c:

        STRCPY(p->vv_di.di_key, p->vv_name);

p is pointing at the first element of vimvars:

static struct vimvar
{
    char        *vv_name;       /* name of variable, without v: */
    dictitem_T  vv_di;          /* value and name for key */
    char        vv_filler[16];  /* space for LONGEST name below!!! */
    char        vv_flags;       /* VV_COMPAT, VV_RO, VV_RO_SBX */
} vimvars[VV_LEN] =

and vv_di is a 
struct dictitem_S
{
    typval_T    di_tv;          /* type and value of the variable */
    char_u      di_flags;       /* flags (only used for variable) */
    char_u      di_key[1];      /* key (actually longer!) */
}

This is done to avoid a allocation for di_key.  I think gcc is complaining that 
di_key has only room for one char, and doesn't realize that we've allowed space 
in vv_filler for the data.

Why it should do that with -O2 and not without has me wondering, perhaps the 
members of struct vimvar are being reordered? 

Anyway, if I add  -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1 to the compile flags 
(gcc is using a default of 2) the abort goes away, but this leaves an uneasy 
feeling.

I thought having the last char item of a struct being declared as [1] was valid 
C, and I have a vague idea that there's an explicit ok for this sort of thing. 

Regards, John Little

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Raspunde prin e-mail lui