Re: Possible buffer overflow caused by message.c:str2special(unsigned char **sp, int from) due to (wrong?) use of mb_unescape() @ message.c:1542

[Bram Moolenaar]

Raymond Ko wrote:

> After compiling VIM with Visual Studio 2012, apparently a buffer
> overflow was detected and caused VIM to crash. Here's my report of
> what I think caused it.
> 
> I am using GVIM version 7.3.661 64-bit version, Windows 7, Python
> 2.7.x bindings, and UltiSnips plugin. GUI and MBYTE is on.
> 
> After finishing the Python part of UltiSnips, VIM tries to do
> msg_outtrans_special(s, FALSE); @ getchar.c:3985, where s is
> "\x1b:call UltiSnips_JumpForwards()\r".
> 
> Eventually it reaches string = str2special(&str, from); @
> message.c:1485, which calls str2special().
> 
> Inside str2special(), it calls mb_unescape(sp), where sp is a pointer
> to s above. This is where I think the problem is at.
> 
> mb_unescape() seems to meant for only decoding individual characters,
> and stores its results inside a static local array buf, which is only
> meant to be MB_MAXBYTES + 1 big (22 bytes). As you can see the result
> of the mapping above (s) is larger than 22 bytes, and does not fit
> inside buf, causing a buffer overflow to be detected.
> 
> At this point I am not sure what the actual problem is. Should
> mb_unescape() be changed to accept arbitrary length strings (a
> different MAX constant)? Should str2special() use a different
> function? Or is something wrong with the mapping expansion in
> msg_outtrans_special() and it shouldn't use str2special()?

Thanks for the analysis.  The problem is that the loop continues much
too long when there is no multi-byte character.  A multi-byte character
can be 4 bytes at maximum, when using utf-8 encoding.

I'll make a patch.

-- 
CRONE:  Who sent you?
ARTHUR: The Knights Who Say Ni!
CRONE:  Aaaagh!  (she looks around in rear) No!  We have no shrubberies here.
                 "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD

 /// Bram Moolenaar -- b...@moolenaar.net -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\  an exciting new programming language -- http://www.Zimbu.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php