Dominique Pellé wrote:
> Valgrind or asan detect a heap write overflow in
> vim-7.4.812 (and older) when doing:
>
> $ vim -u NONE -c 'b\<Tab>'
>
> ... where <Tab> is a single tab character. In other words,
> the Ex command causing invalid memory access is made
> of 3 characters: b backslash tab
>
> Attached patch fixes it.
> Bug was found using afl-fuzz (american fuzzy lop) + asan (address sanitizer).
>
> Valgrind report:
>
> ==5149== Memcheck, a memory error detector
> ==5149== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
> ==5149== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright
> info
> ==5149== Command: ./vim -u NONE -c b\\»·
> ==5149== Parent PID: 2618
> ==5149==·
> ==5149== Invalid write of size 1
> ==5149== at 0x47E9C2: file_pat_to_reg_pat (fileio.c:10343)
> ==5149== by 0x41029D: buflist_findpat (buffer.c:2261)
> ==5149== by 0x45B269: do_one_cmd (ex_docmd.c:2905)
> ==5149== by 0x4586E0: do_cmdline (ex_docmd.c:1133)
> ==5149== by 0x580CA9: exe_commands (main.c:2926)
> ==5149== by 0x57EB67: main (main.c:961)
> ==5149== Address 0xcd386d4 is 0 bytes after a block of size 4 alloc'd
> ==5149== at 0x4C2AB80: malloc (in
> /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==5149== by 0x4B4247: lalloc (misc2.c:921)
> ==5149== by 0x47E666: file_pat_to_reg_pat (fileio.c:10201)
> ==5149== by 0x41029D: buflist_findpat (buffer.c:2261)
> ==5149== by 0x45B269: do_one_cmd (ex_docmd.c:2905)
> ==5149== by 0x4586E0: do_cmdline (ex_docmd.c:1133)
> ==5149== by 0x580CA9: exe_commands (main.c:2926)
> ==5149== by 0x57EB67: main (main.c:961)
> (skip more errors after that)
Thanks again!
--
[clop clop]
ARTHUR: Old woman!
DENNIS: Man!
ARTHUR: Man, sorry. What knight lives in that castle over there?
DENNIS: I'm thirty seven.
ARTHUR: What?
DENNIS: I'm thirty seven -- I'm not old!
The Quest for the Holy Grail (Monty Python)
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
