[patch] fixed invalid memory access in vim-7.4.811 when doing: :call g:

Fri, 07 Aug 2015 22:32:13 -0700 

Hi

Valgrind or asan detect invalid memory access in Vim-7.4.811
when doing:

  $ vim -u NONE -c 'call g:'

Attached patch fixes it.

Bug was found using afl-fuzz + asan.
Here's valgrind report:

==4107== Memcheck, a memory error detector
==4107== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==4107== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info
==4107== Command: /home/pel/sb/vim/src/vim -u NONE -c call\ g:
==4107== Parent PID: 2659
==4107==
==4107== Invalid read of size 1
==4107==    at 0x430128: find_var_ht (eval.c:21319)
==4107==    by 0x43255A: find_var (eval.c:21245)
==4107==    by 0x42FA1E: deref_func_name (eval.c:8511)
==4107==    by 0x42F30C: ex_call (eval.c:3479)
==4107==    by 0x45B2C5: do_one_cmd (ex_docmd.c:2941)
==4107==    by 0x4586B0: do_cmdline (ex_docmd.c:1133)
==4107==    by 0x580C89: exe_commands (main.c:2926)
==4107==    by 0x57EB47: main (main.c:961)
==4107==  Address 0xcd43261 is 0 bytes after a block of size 1 alloc'd
==4107==    at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4107==    by 0x4B4227: lalloc (misc2.c:921)
==4107==    by 0x42F966: trans_function_name (eval.c:23062)
==4107==    by 0x42F2A8: ex_call (eval.c:3462)
==4107==    by 0x45B2C5: do_one_cmd (ex_docmd.c:2941)
==4107==    by 0x4586B0: do_cmdline (ex_docmd.c:1133)
==4107==    by 0x580C89: exe_commands (main.c:2926)
==4107==    by 0x57EB47: main (main.c:961)

Regards
Dominique

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

diff -r e86ada5d3fa0 src/eval.c
--- a/src/eval.c	Tue Aug 04 22:02:51 2015 +0200
+++ b/src/eval.c	Sat Aug 08 07:26:49 2015 +0200
@@ -21316,6 +21316,8 @@
 {
     hashitem_T	*hi;
 
+    if (name[0] == NUL)
+	return NULL;
     if (name[1] != ':')
     {
 	/* The name must not start with a colon or #. */

Raspunde prin e-mail lui