Re: [patch] fixed invalid memory access beyond end of string with ex cmd: :sy match a contained

[Bram Moolenaar]

Dominique wrote:

> Valgrind or asan detect access beyond end of string
> in vim-7.4.811 (and older) when doing:
> 
>   $ vim -u NONE -c 'sy match a contained'
> 
> Bug also happens with:
> 
>   $ vim -u NONE -c 'sy match a fold'
> 
> Attached patch fixes it.
> Bug was found using afl-fuzz + asan.
> 
> Here's valgrind report:
> 
> ==16539== Memcheck, a memory error detector
> ==16539== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
> ==16539== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright 
> info
> ==16539== Command: /home/pel/sb/vim/src/vim -u NONE -c sy\ match\ a\ contained
> ==16539== Parent PID: 5976
> ==16539==
> ==16539== Invalid read of size 1
> ==16539==    at 0x548991: get_syn_pattern (syntax.c:5657)
> ==16539==    by 0x547327: syn_cmd_match (syntax.c:4953)
> ==16539==    by 0x542186: ex_syntax (syntax.c:6291)
> ==16539==    by 0x45B2E5: do_one_cmd (ex_docmd.c:2941)
> ==16539==    by 0x4586D0: do_cmdline (ex_docmd.c:1133)
> ==16539==    by 0x580C99: exe_commands (main.c:2926)
> ==16539==    by 0x57EB57: main (main.c:961)
> ==16539==  Address 0xcd460f5 is 0 bytes after a block of size 21 alloc'd
> ==16539==    at 0x4C2AB80: malloc (in
> /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==16539==    by 0x4B4247: lalloc (misc2.c:921)
> ==16539==    by 0x4B4718: vim_strsave (misc2.c:1246)
> ==16539==    by 0x45857A: do_cmdline (ex_docmd.c:1063)
> ==16539==    by 0x580C99: exe_commands (main.c:2926)
> ==16539==    by 0x57EB57: main (main.c:961)

Thanks!

-- 
GUARD #2:  Wait a minute -- supposing two swallows carried it together?
GUARD #1:  No, they'd have to have it on a line.
GUARD #2:  Well, simple!  They'd just use a standard creeper!
GUARD #1:  What, held under the dorsal guiding feathers?
GUARD #2:  Well, why not?
                                  The Quest for the Holy Grail (Monty Python)

 /// Bram Moolenaar -- b...@moolenaar.net -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\  an exciting new programming language -- http://www.Zimbu.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.