Re: [patch] fix access beyond end of string in mb_strnicmp()

Bram Moolenaar Sat, 23 Oct 2010 09:28:24 -0700

Dominique Pelle wrote:

> Using Vim-7.3.31, I observe the following error with Valgrind:
> 
> ==5153== Invalid read of size 1
[...]
> ==5153==    by 0x80E8F90: main (main.c:965)
> (and several more errors after that)
> 
> It happens when I use my LanguageTool plugin:
> 
>   http://www.vim.org/scripts/script.php?script_id=3223
> 
> After installing the plugin, I can reproduce the bug when
> running Vim with Valgrind and doing this:
> 
>   :help change.txt
>   :LanguageToolCheck
> 
> Then click in the buffer containing content of "change.txt"
> and observe the valgrind error.
> 
> I see that mb_strnicmp(...) is called with input strings which
> are not valid utf-8 strings.  Putting more debug printf, I see that
> mb_strnicmp(...) is called with s1, s2 at eval.c:4476 with following
> values:
> 
> [eval.c:4476] s1=[<80><FD><2E>] s2=[<80><FD><2C>] rettv->v_type=[2]
> var2.v_type=[2]
> 
> Adding more debug printf, I see that the name of the variable containing
> this invalid utf-8 sequence is "l:c".
> 
> This variable l:c is initialized in ~/.vim/plugin/LanguageTool.vim
> as follows:
> 
>     call feedkeys("\<LeftMouse>")
>     let l:c = getchar()
> 
> l:c contains <80><FD><2E> which is K_SPECIAL <FD><2E>
> 
> String contains a truncated utf-8 sequence (it's not a utf-8 string)
> and causes mb_strnicmp(...) to access memory beyond end of string.
> 
> Attached patch makes mb_strnicmp() safer to prevent access beyond
> end of string in case input strings contains truncated utf-8 sequences.


Thanks.  I'll put this on the todo list.

-- 
GUARD #2:  Wait a minute -- supposing two swallows carried it together?
GUARD #1:  No, they'd have to have it on a line.
GUARD #2:  Well, simple!  They'd just use a standard creeper!
GUARD #1:  What, held under the dorsal guiding feathers?
GUARD #2:  Well, why not?
                                  The Quest for the Holy Grail (Monty Python)

 /// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\        download, build and distribute -- http://www.A-A-P.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

Re: [patch] fix access beyond end of string in mb_strnicmp()

Raspunde prin e-mail lui