[patch] fixed heap write overflow in file_pat_to_reg_pat(...)

Sat, 08 Aug 2015 21:43:32 -0700 

Hi

Valgrind or asan detect a heap write overflow in
vim-7.4.812 (and older) when doing:

  $ vim -u NONE -c 'b\<Tab>'

... where <Tab> is a single tab character. In other words,
the Ex command causing invalid memory access is made
of 3 characters: b backslash tab

Attached patch fixes it.
Bug was found using afl-fuzz (american fuzzy lop) + asan (address sanitizer).

Valgrind report:

==5149== Memcheck, a memory error detector
==5149== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==5149== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info
==5149== Command: ./vim -u NONE -c b\\»·
==5149== Parent PID: 2618
==5149==·
==5149== Invalid write of size 1
==5149==    at 0x47E9C2: file_pat_to_reg_pat (fileio.c:10343)
==5149==    by 0x41029D: buflist_findpat (buffer.c:2261)
==5149==    by 0x45B269: do_one_cmd (ex_docmd.c:2905)
==5149==    by 0x4586E0: do_cmdline (ex_docmd.c:1133)
==5149==    by 0x580CA9: exe_commands (main.c:2926)
==5149==    by 0x57EB67: main (main.c:961)
==5149==  Address 0xcd386d4 is 0 bytes after a block of size 4 alloc'd
==5149==    at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==5149==    by 0x4B4247: lalloc (misc2.c:921)
==5149==    by 0x47E666: file_pat_to_reg_pat (fileio.c:10201)
==5149==    by 0x41029D: buflist_findpat (buffer.c:2261)
==5149==    by 0x45B269: do_one_cmd (ex_docmd.c:2905)
==5149==    by 0x4586E0: do_cmdline (ex_docmd.c:1133)
==5149==    by 0x580CA9: exe_commands (main.c:2926)
==5149==    by 0x57EB67: main (main.c:961)
(skip more errors after that)

Regards
Dominique

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

diff -r 9c248be4e7d2 src/fileio.c
--- a/src/fileio.c	Sat Aug 08 18:23:47 2015 +0200
+++ b/src/fileio.c	Sun Aug 09 06:06:00 2015 +0200
@@ -10277,7 +10277,7 @@
 		    reg_pat[i++] = '?';
 		else
 		    if (*p == ',' || *p == '%' || *p == '#'
-				       || *p == ' ' || *p == '{' || *p == '}')
+			       || vim_isspace(*p) || *p == '{' || *p == '}')
 			reg_pat[i++] = *p;
 		    else if (*p == '\\' && p[1] == '\\' && p[2] == '{')
 		    {

Raspunde prin e-mail lui