Re: Possible buffer overflow caused by message.c:str2special(unsigned char **sp, int from) due to (wrong?) use of mb_unescape() @ message.c:1542

[Ben Schmidt]

On 18/09/12 10:30 AM, Ben Schmidt wrote:

On 18/09/12 8:49 AM, Dominique Pellé wrote:

Raymond Ko <raymond.w...@gmail.com> wrote:

Hello all,

After compiling VIM with Visual Studio 2012,
apparently a buffer overflow was detected
and caused VIM to crash.

...snip...

mb_unescape() seems to meant for only
decoding individual characters, and stores
its results inside a static local array buf, which
is only meant to be MB_MAXBYTES + 1 big
(22 bytes).

..snip...

I don't understand the function mb_unescape(),
but what I can see that it can overflow buf[ ] by
1 bytes:

mbytes.c:

3796     static char_u   buf[MB_MAXBYTES + 1];
3802     for (n = 0; str[n] != NUL && m <= MB_MAXBYTES; ++n)
...
3828         else
3829             buf[m++] = str[n];
3830         buf[m] = NUL;  <--- where it crashes
....
3838         }

Notice that we may write 2 bytes within the for loop
(at lines 3829 and line 3830 for example).  So the
check at line 3802 (m <= MB_MAXBYTES) is not
enough to prevent overflows.  If m is MB_MAXBYTES
at line 3802, we enter the for loop, which may writes
at buf[MB_MAXBYTES]  at line 3829 then write at
buf[MB_MAXBYTES+1] at line 3830  (overflow
by 1 byte!)

This overflow can be avoided by adding one more
byte to buf:

3796     static char_u   buf[MB_MAXBYTES + 2];

But since I don't understand the function, I'm not
sure whether that's the correct fix.

I think the correct fix is to change the condition of the for loop. It
should be a strict inequality (m < MB_MAXBYTES). There is no need to
check that a character sequence one character longer than the maximum is
illegal: it always will be, and we can just skip the loop body and
return NULL in that case.

Well, actually, the correct fix would possibly be to rework the logic of
the whole function, which is pretty inefficient. And it's not 100% clear
what its intent is, as it doesn't do what it seems like it's trying to
do. However, in the absence of a bug proving it doesn't do the right
thing, it's probably best just to fix the overflow. My suggestion does
that without changing/breaking current behaviour.

Smiles,

Ben.



--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php