Hi
Valgrind or Asan detect access to invalid memory in
Vim-7.4.823 (and older) when doing:
$ vim -u NONE -c 'syn keyword x a['
Bug was found with afl-fuzz + asan.
Here is valgrind's report:
==8902== Memcheck, a memory error detector
==8902== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==8902== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info
==8902== Command: ./vim -u NONE -c syn\ keyword\ x\ a[
==8902== Parent PID: 3196
==8902==
==8902== Invalid read of size 1
==8902== at 0x4C2E0E2: strlen (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==8902== by 0x5466EE: syn_cmd_keyword (syntax.c:4862)
==8902== by 0x541A56: ex_syntax (syntax.c:6291)
==8902== by 0x45B0D5: do_one_cmd (ex_docmd.c:2941)
==8902== by 0x4584C0: do_cmdline (ex_docmd.c:1133)
==8902== by 0x5803E9: exe_commands (main.c:2926)
==8902== by 0x57E2A7: main (main.c:961)
==8902== Address 0xcd33983 is 0 bytes after a block of size 3 alloc'd
==8902== at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==8902== by 0x4B3F47: lalloc (misc2.c:921)
==8902== by 0x5464BE: syn_cmd_keyword (syntax.c:4821)
==8902== by 0x541A56: ex_syntax (syntax.c:6291)
==8902== by 0x45B0D5: do_one_cmd (ex_docmd.c:2941)
==8902== by 0x4584C0: do_cmdline (ex_docmd.c:1133)
==8902== by 0x5803E9: exe_commands (main.c:2926)
==8902== by 0x57E2A7: main (main.c:961)
Furthermore, if you put characters after the closing brackets as in:
$ vim -u NONE -c 'syn keyword x ab[c]de fgh'
.. then the "de" trailing characters are silently ignored.
I think that Vim should report an error for trailing characters
after closing bracket.
Attached patch fixes the invalid memory access and
adds an error for spurious characters after closing brackets.
Regards
Dominique
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
diff -r 349e6c01f35d src/syntax.c
--- a/src/syntax.c Tue Aug 11 20:34:49 2015 +0200
+++ b/src/syntax.c Tue Aug 11 23:03:36 2015 +0200
@@ -4873,11 +4873,16 @@
if (p[1] == NUL)
{
EMSG2(_("E789: Missing ']': %s"), kw);
- kw = p + 2; /* skip over the NUL */
- break;
+ goto error;
}
if (p[1] == ']')
{
+ if (p[2] != NUL)
+ {
+ EMSG3(_("E999: trailing char after ']': %s]%s"),
+ kw, &p[2]);
+ goto error;
+ }
kw = p + 1; /* skip over the "]" */
break;
}
@@ -4898,7 +4903,7 @@
}
}
}
-
+error:
vim_free(keyword_copy);
vim_free(syn_opt_arg.cont_in_list);
vim_free(syn_opt_arg.next_list);
