[patch] fixed invalid memory access beyond end of string with ex cmd: :sy match a contained

Fri, 07 Aug 2015 14:18:57 -0700 

Hi

Valgrind or asan detect access beyond end of string
in vim-7.4.811 (and older) when doing:

  $ vim -u NONE -c 'sy match a contained'

Bug also happens with:

  $ vim -u NONE -c 'sy match a fold'

Attached patch fixes it.
Bug was found using afl-fuzz + asan.

Here's valgrind report:

==16539== Memcheck, a memory error detector
==16539== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==16539== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info
==16539== Command: /home/pel/sb/vim/src/vim -u NONE -c sy\ match\ a\ contained
==16539== Parent PID: 5976
==16539==
==16539== Invalid read of size 1
==16539==    at 0x548991: get_syn_pattern (syntax.c:5657)
==16539==    by 0x547327: syn_cmd_match (syntax.c:4953)
==16539==    by 0x542186: ex_syntax (syntax.c:6291)
==16539==    by 0x45B2E5: do_one_cmd (ex_docmd.c:2941)
==16539==    by 0x4586D0: do_cmdline (ex_docmd.c:1133)
==16539==    by 0x580C99: exe_commands (main.c:2926)
==16539==    by 0x57EB57: main (main.c:961)
==16539==  Address 0xcd460f5 is 0 bytes after a block of size 21 alloc'd
==16539==    at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16539==    by 0x4B4247: lalloc (misc2.c:921)
==16539==    by 0x4B4718: vim_strsave (misc2.c:1246)
==16539==    by 0x45857A: do_cmdline (ex_docmd.c:1063)
==16539==    by 0x580C99: exe_commands (main.c:2926)
==16539==    by 0x57EB57: main (main.c:961)

Regards
Dominique

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

diff -r e86ada5d3fa0 src/syntax.c
--- a/src/syntax.c	Tue Aug 04 22:02:51 2015 +0200
+++ b/src/syntax.c	Fri Aug 07 23:05:41 2015 +0200
@@ -5654,7 +5654,7 @@
     char_u	*cpo_save;
 
     /* need at least three chars */
-    if (arg == NULL || arg[1] == NUL || arg[2] == NUL)
+    if (arg == NULL || arg[0] == NUL || arg[1] == NUL || arg[2] == NUL)
 	return NULL;
 
     end = skip_regexp(arg + 1, *arg, TRUE, NULL);

Raspunde prin e-mail lui