Dominique wrote:
> Vim-8.0.873 and older crash with the attached
> non nonsensical "crash.vim" script:
>
> $ vim -u NONE -S crash.vim
> Vim: Caught deadly signal SEGV
> Vim: Finished.
> Segmentation fault (core dumped)
>
> Running with valgrind gives:
>
> ==4446== Memcheck, a memory error detector
> ==4446== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
> ==4446== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
> ==4446== Command: vim -u NONE -S crash.vim
> ==4446==
> ==4446== Invalid write of size 1
> ==4446== at 0x4C31060: strcpy (in
> /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==4446== by 0x4BD91E: strcpy (string3.h:110)
> ==4446== by 0x4BD91E: home_replace (misc1.c:4644)
> ==4446== by 0x47E67F: msg_add_fname (fileio.c:5269)
> ==4446== by 0x47E67F: filemess (fileio.c:165)
> ==4446== by 0x48246A: readfile (fileio.c:659)
> ==4446== by 0x40A060: open_buffer (buffer.c:236)
> ==4446== by 0x44FA97: do_ecmd (ex_cmds.c:4185)
> ==4446== by 0x466023: do_exedit (ex_docmd.c:8744)
> ==4446== by 0x461A47: do_one_cmd (ex_docmd.c:2952)
> ==4446== by 0x45DC8D: do_cmdline (ex_docmd.c:1089)
> ==4446== by 0x4526C0: global_exe (ex_cmds.c:5914)
> ==4446== by 0x4525AA: ex_global (ex_cmds.c:6054)
> ==4446== by 0x461A47: do_one_cmd (ex_docmd.c:2952)
> ==4446== Address 0x84cc4f1 is 0 bytes after a block of size 1,025 alloc'd
> ==4446== at 0x4C2DB8F: malloc (in
> /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==4446== by 0x4CB857: lalloc (misc2.c:942)
> ==4446== by 0x5F034B: common_init (main.c:953)
> ==4446== by 0x5EDFE3: main (main.c:177)
> (followed by other errors)
>
> The attached patch fixes it, but it might be
> only a workaround, as I don't think that the
> script should cause to have a long string.
>
> Bug was found using afl-fuzz.
Thanks for finding this.
The solution looks a bit over the top.
I tried using strncpy() instead, but then splitting a multi-byte
character causes using uninitialized memory. Using vim_snprintf() works
better.
--
TALL KNIGHT: Firstly. You must get us another shrubbery!
OTHER KNIGHTS: More shrubberies! More shrubberies for the ex-Knights of Ni!
ARTHUR: Not another shrubbery -
"Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD
/// Bram Moolenaar -- b...@moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
