Dominique Pellé wrote:
> Vim-7.4.729 accesses invalid memory (global overflow) when doing:
>
> $ vim -u NONE -c 'set re=1' \
> -c 'e ++enc=utf8 ++bad=keep crash-5' \
> -c 'call search(getline("."))'
>
> ... where crash-5 is the attached file (8 bytes).
>
> Asan reports:
>
> ==5792==ERROR: AddressSanitizer: global-buffer-overflow on address
> 0x0000011f58e7 at pc 0xafd150 bp 0x7ffcc79a6ee0 sp 0x7ffcc79a6ed8
> READ of size 1 at 0x0000011f58e7 thread T0
> #0 0xafd14f in utf_head_off /home/pel/sb/vim/src/mbyte.c:3514
> #1 0xd978ad in regmatch /home/pel/sb/vim/src/regexp.c:5588
> #2 0xd978ad in regtry /home/pel/sb/vim/src/regexp.c:4099
> #3 0xd9d845 in bt_regexec_both /home/pel/sb/vim/src/regexp.c:3988
> #4 0xdc439a in vim_regexec_multi /home/pel/sb/vim/src/regexp.c:8275
> #5 0xe87449 in searchit /home/pel/sb/vim/src/search.c:639
> #6 0x593533 in search_cmn /home/pel/sb/vim/src/eval.c:16366
> #7 0x593533 in f_search /home/pel/sb/vim/src/eval.c:16516
> #8 0x611d47 in call_func /home/pel/sb/vim/src/eval.c:8765
> #9 0x63e3dc in get_func_tv /home/pel/sb/vim/src/eval.c:8565
> #10 0x65ac39 in ex_call /home/pel/sb/vim/src/eval.c:3510
> #11 0x75aa1d in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2940
> #12 0x77016d in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
> #13 0x4237c6 in exe_commands /home/pel/sb/vim/src/main.c:2922
> #14 0x4237c6 in main /home/pel/sb/vim/src/main.c:958
> #15 0x7fca25193ec4 in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
> #0 0x42a5e9 in _start ??:?
>
> 0x0000011f58e7 is located 57 bytes to the left of global variable
> '*.LC18' from 'regexp.c' (0x11f5920) of size 2
> '*.LC18' is ascii string '\'
> 0x0000011f58e7 is located 6 bytes to the right of global variable
> '*.LC17' from 'regexp.c' (0x11f58e0) of size 1
> '*.LC17' is ascii string ''
> SUMMARY: AddressSanitizer: global-buffer-overflow
> /home/pel/sb/vim/src/mbyte.c:3514 utf_head_off
[...]
> Code in regexp.c:5588
>
> 5583 else
> 5584 {
> 5585 #ifdef FEAT_MBYTE
> 5586 if (has_mbyte)
> 5587 rp->rs_un.regsave.rs_u.pos.col -=
> 5588 (*mb_head_off)(regline, regline
> 5589 +
> rp->rs_un.regsave.rs_u.pos.col - 1) + 1;
> 5590 else
> 5591 #endif
>
> When bug happens:
>
> * rp->rs_un.regsave.rs_u.pos.col - 1 is equal to 7
> * regline is an empty string which has been set by
> reg_getline() at line 3718:
>
> 3708 static char_u *
> 3709 reg_getline(lnum)
> 3710 linenr_T lnum;
> 3711 {
> 3712 /* when looking behind for a match/no-match lnum is negative. But
> we
> 3713 * can't go before line 1 */
> 3714 if (reg_firstlnum + lnum < 1)
> 3715 return NULL;
> 3716 if (lnum > reg_maxline)
> 3717 /* Must have matched the "\n" in the last line. */
> !3718 return (char_u *)"";
> 3719 return ml_get_buf(reg_buf, reg_firstlnum + lnum, FALSE);
> 3720 }
>
> So "regline + rp->rs_un.regsave.rs_u.pos.col - 1" at regexp.c:5588
> is pointing to invalid memory (global overflow).
>
> Bug was found by afl-fuzz (http://lcamtuf.coredump.cx/afl/).
> Sorry, no patch as I don't know how to fix it.
I am unable to see this problem with valgrind. Any idea why?
Perhaps the problem was fixed by another patch already?
--
Facepalm reply #3: "I had a great time in Manhattan" "I thought you were
going to New York?"
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
