Re: bin/57630: vi coredump

[mlelstv%serpens.de@localhost (Michael van Elst)]

The following reply was made to PR bin/57630; it has been noted by GNATS.

From: mlelstv%serpens.de@localhost (Michael van Elst)
To: gnats-bugs%netbsd.org@localhost
Cc: 
Subject: Re: bin/57630: vi coredump
Date: Wed, 27 Sep 2023 16:00:55 -0000 (UTC)

 he%NetBSD.org@localhost (Havard Eidnes) writes:
 
 >> On Wed, Sep 27, 2023 at 02:55:35PM +0200, Havard Eidnes wrote:
 >>> a<space><esc>  (or just a<esc>, same result)
 >>> :%s/^<space><space><enter>
 >> =
 >> no <space>es here, just <enter>
 >Ah, yes, then I get
 >~
 >~
 >[2]   Segmentation fault (core dumped) vi
 >                                         $ =
 
 
 The db routines (vi_db.c/vi_db1.c) can return a NULL pointer
 for an empty line or when a buffer allocation fails which also
 happens if the line is empty as we don't allocate a buffer is
 the previous with length == 0 is sufficiently large.
 
 The result is fed into regexec() which crashes.
 
 Fixing the db code and possibly also the allocation code
 throughout the source probably ends in rewriting nvi. So
 I suggest to prevent regexec() from crashing, like:
 
 Index: dist/regex/engine.c
 ===================================================================
 RCS file: /cvsroot/src/external/bsd/nvi/dist/regex/engine.c,v
 retrieving revision 1.3
 diff -p -u -r1.3 engine.c
 --- dist/regex/engine.c 7 Jan 2014 21:48:12 -0000       1.3
 +++ dist/regex/engine.c 27 Sep 2023 16:00:10 -0000
 @@ -150,6 +150,11 @@ int eflags;
         const sopno gl = g->laststate;
         RCHAR_T *start;
         RCHAR_T *stop;
 +       RCHAR_T empty[] = { REOF };
 +
 +       /* Input can be a NULL pointer, treat like an empty line. */
 +       if (string == NULL)
 +               string = empty;
  
         /* simplify the situation where possible */
         if (g->cflags&REG_NOSUB)