Dominique wrote: > > Vim-7.4.803 (and older) accesses invalid memory beyond end of > string when doing: > > $ vim -u NONE -c 'exe "sc"' > > Bug is fixed in attached patch. > > Apparently, ":sc" is doing a :substitute command with the > 'c' flag. I could not find where it is documented, but perhaps > I missed it in the doc. > > Bug was found using afl-fuzz + asan. Here is asan's report: > > ================================================================= > ==5082==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x602000016d33 at pc 0x52c4de bp 0x7ffc38814d00 sp 0x7ffc38814cf8 > READ of size 1 at 0x602000016d33 thread T0 > #0 0x52c4dd in find_command /home/pel/sb/vim/src/ex_docmd.c:3133 > #1 0x527ba7 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2114 > #2 0x523388 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133 > #3 0x4d7ef8 in ex_execute /home/pel/sb/vim/src/eval.c:22155 > #4 0x52afb6 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2941 > #5 0x523388 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133 > #6 0x521f6c in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:738 > #7 0x9450df in exe_commands /home/pel/sb/vim/src/main.c:2926 > #8 0x93e9b5 in main /home/pel/sb/vim/src/main.c:961 > #9 0x7f1fdb67eec4 in __libc_start_main
[...] Thanks! -- I'd like to meet the man who invented sex and see what he's working on now. /// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org /// -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
