Re: [code] PATCH: fix a heap buffer overflow

From: Markus F.X.J. Oberhumer <>
Date: Wed, 17 Feb 2016 03:08:13 +0100

Hi Mitchell,

On 2016-02-17 02:52, Mitchell wrote:
> Hi Markus,
> On Mon, 15 Feb 2016, Markus F.X.J. Oberhumer wrote:
>> Please see attached patch and log.
>> BTW, I can really recommend "-fsanitize=address" to all C/C++ users.
>> For a for a relatively modest performance slowdown you do get a lot
>> of useful runtime checks.
> I'm not sure I agree with the output of that tool. Scintilla initializes
> SCNotifications like this:
> SCNotification scn = {};
> Now I am no expert on this, but according to the C standard, that type of
> initializer zeros out all structure members. Therefore accessing `scn->text`
> and passing its result to `lua_pushstring` will always result in a zero read
> length (since `lua_pushstring` works with C strings).
> Could you shed some more light on this? I'm not sure how to interpret the
> output of your tool :(

I think the problem is that the string that "n->text" points to is
not zero terminated in all cases - that's why we have to respect "n->length"
and must use "lua_pushlstring(L, n->text, n->length);"

> (By the way, Valgrind does not report this, or at least not in the limited way
> I know how to run it, which is why I haven't seen it before.)

valgrind reports the exact same errors as ASASN for me (x86_64 Linux Fedora 23):

==11913== Memcheck, a memory error detector
==11913== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==11913== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==11913== Command: ./textadept src/textadept.c
==11913== Invalid read of size 1
==11913== at 0x4C2BC34: strlen (vg_replace_strmem.c:454)
==11913== by 0x4A638E: ??? (in /home/hosts/amd64-linux/build/textadept-hg-mfx/textadept)
==11913== by 0x49859E: lua_pushstring (in /home/hosts/amd64-linux/build/textadept-hg-mfx/textadept)
==11913== by 0x494E35: ??? (in /home/hosts/amd64-linux/build/textadept-hg-mfx/textadept)
==11913== by 0x64B97A4: g_closure_invoke (in /usr/lib64/
==11913== by 0x64CB850: ??? (in /usr/lib64/
==11913== by 0x64D452F: g_signal_emit_valist (in /usr/lib64/
==11913== by 0x64D48FE: g_signal_emit (in /usr/lib64/
==11913== by 0x48950F: ScintillaGTK::NotifyParent(SCNotification) (in /home/hosts/amd64-linux/build/textadept-hg-mfx/textadept)
==11913== by 0x455529: Editor::NotifyModified(Document*, DocModification, void*) (in /home/hosts/amd64-linux/build/textadept-hg-mfx/textadept)
==11913== by 0x441A8D: Document::NotifyModified(DocModification) (in /home/hosts/amd64-linux/build/textadept-hg-mfx/textadept)
==11913== by 0x443448: ??? (in /home/hosts/amd64-linux/build/textadept-hg-mfx/textadept)
==11913== Address 0x18ba9b20 is 0 bytes after a block of size 100,720 alloc'd
==11913== at 0x4C299CB: operator new[](unsigned long) (vg_replace_malloc.c:423)
==11913== by 0x43772B: Action::Create(actionType, int, char const*, int, bool) (in /home/hosts/amd64-linux/build/textadept-hg-mfx/textadept)
==11913== by 0x437B51: UndoHistory::AppendAction(actionType, int, char const*, int, bool&, bool) (in /home/hosts/amd64-linux/build/textadept-hg-mfx/textadept)
==11913== by 0x43A798: CellBuffer::InsertString(int, char const*, int, bool&) (in /home/hosts/amd64-linux/build/textadept-hg-mfx/textadept)
==11913== by 0x4433B0: ??? (in /home/hosts/amd64-linux/build/textadept-hg-mfx/textadept)
==11913== by 0x45B9CD: Editor::WndProc(unsigned int, unsigned long, long) (in /home/hosts/amd64-linux/build/textadept-hg-mfx/textadept)
==11913== by 0x48E54D: ScintillaGTK::WndProc(unsigned int, unsigned long, long) (in /home/hosts/amd64-linux/build/textadept-hg-mfx/textadept)


> Cheers,
> Mitchell

Markus Oberhumer, <>,
You are subscribed to
To change subscription settings, send an e-mail to
To unsubscribe, send an e-mail to
Received on Tue 16 Feb 2016 - 21:08:13 EST

This archive was generated by hypermail 2.2.0 : Wed 17 Feb 2016 - 06:33:54 EST