Hi
Vim-7.4.803 (and older) accesses invalid memory beyond end of
string when doing:
$ vim -u NONE -c 'exe "sc"'
Bug is fixed in attached patch.
Apparently, ":sc" is doing a :substitute command with the
'c' flag. I could not find where it is documented, but perhaps
I missed it in the doc.
Bug was found using afl-fuzz + asan. Here is asan's report:
=================================================================
==5082==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000016d33 at pc 0x52c4de bp 0x7ffc38814d00 sp 0x7ffc38814cf8
READ of size 1 at 0x602000016d33 thread T0
#0 0x52c4dd in find_command /home/pel/sb/vim/src/ex_docmd.c:3133
#1 0x527ba7 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2114
#2 0x523388 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
#3 0x4d7ef8 in ex_execute /home/pel/sb/vim/src/eval.c:22155
#4 0x52afb6 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2941
#5 0x523388 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
#6 0x521f6c in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:738
#7 0x9450df in exe_commands /home/pel/sb/vim/src/main.c:2926
#8 0x93e9b5 in main /home/pel/sb/vim/src/main.c:961
#9 0x7f1fdb67eec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#10 0x40ea18 (/home/pel/sb/vim/src/vim+0x40ea18)
0x602000016d33 is located 0 bytes to the right of 3-byte region
[0x602000016d30,0x602000016d33)
allocated by thread T0 here:
#0 0x7f1fde44f7df in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547df)
#1 0x664ca7 in lalloc /home/pel/sb/vim/src/misc2.c:921
#2 0x664a8b in alloc /home/pel/sb/vim/src/misc2.c:820
#3 0x665533 in vim_strsave /home/pel/sb/vim/src/misc2.c:1246
#4 0x522f35 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1063
#5 0x4d7ef8 in ex_execute /home/pel/sb/vim/src/eval.c:22155
#6 0x52afb6 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2941
#7 0x523388 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
#8 0x521f6c in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:738
#9 0x9450df in exe_commands /home/pel/sb/vim/src/main.c:2926
#10 0x93e9b5 in main /home/pel/sb/vim/src/main.c:961
#11 0x7f1fdb67eec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/pel/sb/vim/src/ex_docmd.c:3133 find_command
Shadow bytes around the buggy address:
0x0c047fffad50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffad60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffad70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffad80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffad90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fffada0: fa fa fa fa fa fa[03]fa fa fa fd fa fa fa 00 01
0x0c047fffadb0: fa fa 04 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fffadc0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fffadd0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fffade0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fffadf0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==5082==ABORTING
Regards
Dominique
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
diff -r 893d1ea575c9 src/ex_docmd.c
--- a/src/ex_docmd.c Tue Jul 28 21:17:37 2015 +0200
+++ b/src/ex_docmd.c Sat Aug 01 04:04:53 2015 +0200
@@ -3129,8 +3129,8 @@
++p;
}
else if (p[0] == 's'
- && ((p[1] == 'c' && p[2] != 's' && p[2] != 'r'
- && p[3] != 'i' && p[4] != 'p')
+ && ((p[1] == 'c' && (p[2] == NUL || (p[2] != 's' && p[2] != 'r'
+ && (p[3] == NUL || (p[3] != 'i' && p[4] != 'p')))))
|| p[1] == 'g'
|| (p[1] == 'i' && p[2] != 'm' && p[2] != 'l' && p[2] != 'g')
|| p[1] == 'I'
