Hi Here is another odd case discovered by afl-fuzz which causes vim-7.4.725 to access invalid memory:
$ vim -u NONE \
-c 'e ++enc=utf ++bad=keep crash-4' \
-c 'call search(getline("."))|q'
... where crash4 s the attached file (7 bytes).
Address sanitizer reports:
==25574==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x60200001a0b8 at pc 0x7386fe bp 0x7ffebd700e40 sp 0x7ffebd700e38
READ of size 1 at 0x60200001a0b8 thread T0
#0 0x7386fd in get_coll_element /home/pel/sb/vim/src/regexp.c:1160
#1 0x738e15 in skip_anyof /home/pel/sb/vim/src/regexp.c:1231
#2 0x76a56a in nfa_regatom /home/pel/sb/vim/src/regexp_nfa.c:1522
#3 0x76cc11 in nfa_regpiece /home/pel/sb/vim/src/regexp_nfa.c:1915
#4 0x76d938 in nfa_regconcat /home/pel/sb/vim/src/regexp_nfa.c:2156
#5 0x76da04 in nfa_regbranch /home/pel/sb/vim/src/regexp_nfa.c:2190
#6 0x76de1a in nfa_reg /home/pel/sb/vim/src/regexp_nfa.c:2250
#7 0x76e23b in re2post /home/pel/sb/vim/src/regexp_nfa.c:2674
#8 0x7805d8 in nfa_regcomp /home/pel/sb/vim/src/regexp_nfa.c:7119
#9 0x780f44 in vim_regcomp /home/pel/sb/vim/src/regexp.c:8086
#10 0x7bd0d0 in search_regcomp /home/pel/sb/vim/src/search.c:215
#11 0x7bea9e in searchit /home/pel/sb/vim/src/search.c:560
#12 0x4b170f in search_cmn /home/pel/sb/vim/src/eval.c:16366
#13 0x4b22ac in f_search /home/pel/sb/vim/src/eval.c:16516
#14 0x491a2c in call_func /home/pel/sb/vim/src/eval.c:8765
#15 0x4909f5 in get_func_tv /home/pel/sb/vim/src/eval.c:8565
#16 0x47d2a5 in ex_call /home/pel/sb/vim/src/eval.c:3510
#17 0x51e32c in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2940
#18 0x516705 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
#19 0x5152e9 in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:738
#20 0x8ddb29 in exe_commands /home/pel/sb/vim/src/main.c:2922
#21 0x8d7a88 in main /home/pel/sb/vim/src/main.c:958
#22 0x7f42d8210ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#0 0x406038 in _start ??:?
0x60200001a0b8 is located 0 bytes to the right of 8-byte region
[0x60200001a0b0,0x60200001a0b8)
allocated by thread T0 here:
#0 0x7f42d9d2c7df in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547df)
#1 0x650d06 in lalloc /home/pel/sb/vim/src/misc2.c:926
#2 0x650aa0 in alloc /home/pel/sb/vim/src/misc2.c:821
#3 0x65158d in vim_strsave /home/pel/sb/vim/src/misc2.c:1252
#4 0x49e4ea in get_buffer_lines /home/pel/sb/vim/src/eval.c:11438
#5 0x4a088f in f_getline /home/pel/sb/vim/src/eval.c:11971
#6 0x491a2c in call_func /home/pel/sb/vim/src/eval.c:8765
#7 0x4909f5 in get_func_tv /home/pel/sb/vim/src/eval.c:8565
#8 0x484525 in eval7 /home/pel/sb/vim/src/eval.c:5230
#9 0x48318f in eval6 /home/pel/sb/vim/src/eval.c:4881
#10 0x48274f in eval5 /home/pel/sb/vim/src/eval.c:4697
#11 0x480ffa in eval4 /home/pel/sb/vim/src/eval.c:4390
#12 0x480b7e in eval3 /home/pel/sb/vim/src/eval.c:4302
#13 0x48075e in eval2 /home/pel/sb/vim/src/eval.c:4231
#14 0x4802d6 in eval1 /home/pel/sb/vim/src/eval.c:4156
#15 0x4908df in get_func_tv /home/pel/sb/vim/src/eval.c:8550
#16 0x47d2a5 in ex_call /home/pel/sb/vim/src/eval.c:3510
#17 0x51e32c in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2940
#18 0x516705 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
#19 0x5152e9 in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:738
#20 0x8ddb29 in exe_commands /home/pel/sb/vim/src/main.c:2922
#21 0x8d7a88 in main /home/pel/sb/vim/src/main.c:958
#22 0x7f42d8210ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/pel/sb/vim/src/regexp.c:1160 get_coll_element
Shadow bytes around the buggy address:
0x0c047fffb3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffb3d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffb3e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffb3f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffb400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fffb410: fa fa 07 fa fa fa 00[fa]fa fa fd fa fa fa fd fa
0x0c047fffb420: fa fa 07 fa fa fa 01 fa fa fa 01 fa fa fa fd fa
0x0c047fffb430: fa fa fd fd fa fa 00 04 fa fa fd fd fa fa 00 02
0x0c047fffb440: fa fa 02 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
0x0c047fffb450: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 03 fa
0x0c047fffb460: fa fa 01 fa fa fa 01 fa fa fa 00 04 fa fa 00 02
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==25574==ABORTING
Fixed in attached patch.
Regards
Dominique
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
crash-4
Description: Binary data
diff -r a784dfdc4467 src/regexp.c
--- a/src/regexp.c Mon May 04 20:19:22 2015 +0200
+++ b/src/regexp.c Tue May 05 01:28:18 2015 +0200
@@ -1157,7 +1157,7 @@
int l = 1;
char_u *p = *pp;
- if (p[1] == '.')
+ if (p[0] != NUL && p[1] == '.')
{
#ifdef FEAT_MBYTE
if (has_mbyte)
@@ -1201,7 +1201,6 @@
#ifdef FEAT_MBYTE
int l;
#endif
-
if (*p == '^') /* Complement of range. */
++p;
if (*p == ']' || *p == '-')
@@ -1229,7 +1228,8 @@
if (get_char_class(&p) == CLASS_NONE
&& get_equi_class(&p) == 0
&& get_coll_element(&p) == 0)
- ++p; /* It was not a class name */
+ if (*p != NUL)
+ ++p; /* It was not a class name */
}
else
++p;
