On So, 09 Jul 2017, Bram Moolenaar wrote: > > James McCoy wrote: > > > A few issues were reported on RedHat's bug tracker[0] which have been > > assigned CVE-2017-11109. I took an initial look at them and reduced the > > fuzzer-created scripts so they're clearer (especially for POC2). > > > > [0]: https://bugzilla.redhat.com/show_bug.cgi?id=1468492 > > > > I've also attached a patch that resolves the issue for POC1. Below are > > the ASAN tracebacks for each issue, all using 8.0.0702. > > I think I fixed POC1, however for POC2 and POC3 I can't really > see what the problem is. Perhaps it requires ASAN, valgrind won't be > sufficient?
POC2 crashes here at ex_getln.c 971 if (ccline.cmdpos > 0) 972 { 973 char_u *p; 974 975 j = ccline.cmdpos; 976 p = ccline.cmdbuff + j; 977 #ifdef FEAT_MBYTE 978 if (has_mbyte) 979 { 980 p = mb_prevptr(ccline.cmdbuff, p); ccline.cmdbuff is NULL, I think because of an earlier call to open_cmdwin setting ccline.cmdbuff=NULL This patch fixes the crash: diff --git a/src/ex_getln.c b/src/ex_getln.c index a888ba412..9747956f0 100644 --- a/src/ex_getln.c +++ b/src/ex_getln.c @@ -791,6 +791,7 @@ getcmdline( /* In Ex mode a backslash escapes a newline. */ if (exmode_active && c != ESC + && ccline.cmdbuff && ccline.cmdpos == ccline.cmdlen && ccline.cmdpos > 0 && ccline.cmdbuff[ccline.cmdpos - 1] == '\\') @@ -968,7 +969,7 @@ getcmdline( ccline.cmdpos += mb_off_next(ccline.cmdbuff, ccline.cmdbuff + ccline.cmdpos); #endif - if (ccline.cmdpos > 0) + if (ccline.cmdbuff && ccline.cmdpos > 0) { char_u *p; Best, Christian -- Alles Lebendige bildet eine Atmosphäre um sich her. -- Goethe, Maximen und Reflektionen, Nr. 819 -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.