Re: [patch] fixed access to invalid memory in file_pat_to_reg_pat()

Bram Moolenaar Wed, 29 Jul 2015 13:18:07 -0700

Dominique wrote:

> Vim-7.4.802 accesses invalid memory when doing:


This is not caused by patch 7.4.802, I suppose, it's just the version
where you happened to find this, right?

> $ vim -u NONE -S crash.vim
> 
> ... where crash.vim is the attached file which contains:
> 
>   call setreg('"',"")
>   let k = getreg('"')
>   let r = getregtype('"')
>   call setreg('#',k,r)
> 
> Crash happens at fileio.c:10213
> 
> 10212     endp = pat_end - 1;
> 10213     if (*endp == '*')
> 
> When bug happens, pat_end and pat are identical (pat is an empty string).
> so endp points to one byte before the allocated block at fileio.c:10213.
> 
> Attached fixes it, but I don't know whether pat should have
> been an empty string in the first place.  So maybe the patch
> is hiding another bug.
> 
> Bug was found by fuzzing with afl-fuzz + asan.  Here is asan report:
> 
> =================================================================
> ==16314== ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x600400017dcf at pc 0x561f12 bp 0x7fffb9383af0 sp 0x7fffb9383ae8
> READ of size 1 at 0x600400017dcf thread T0
>     #0 0x561f11 in file_pat_to_reg_pat /home/dope/sb/vim/src/fileio.c:10213:0
>     #1 0x40c35f in buflist_findpat /home/dope/sb/vim/src/buffer.c:2261:0
>     #2 0x67e7bb in write_reg_contents_ex /home/dope/sb/vim/src/ops.c:6663:0
>     #3 0x49a3c3 in f_setreg /home/dope/sb/vim/src/eval.c:17433:0
>     #4 0x479e2e in call_func /home/dope/sb/vim/src/eval.c:8773:0

[...]

Thanks!

-- 
GALAHAD: No look, really, this isn't nescess ...
PIGLET:  We must examine you.
GALAHAD: There's nothing wrong with ... that.
                 "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD

 /// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\  an exciting new programming language -- http://www.Zimbu.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Re: [patch] fixed access to invalid memory in file_pat_to_reg_pat()

Raspunde prin e-mail lui