Dominique Pellé wrote:
> Hi
>
> Here is another bug found by afl-fuzz. The following commands causes
> vim-7.8.824 (and older) to access invalid memory, beyond end of string:
>
> $ mkdir /tmp/foo
> $ cd /tmp/foo
> $ touch '#'
> $ touch $(perl -e 'print chr(0xf0),chr(0x80),chr(0x80),chr(0xa3)')
> $ vim -u NONE -c 'e*'
...snip...
Sorry, I forgot to attach the patch in previous email. Here it is.
Dominique
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
diff -r 349e6c01f35d src/misc2.c
--- a/src/misc2.c Tue Aug 11 20:34:49 2015 +0200
+++ b/src/misc2.c Wed Aug 12 23:22:36 2015 +0200
@@ -5816,9 +5816,10 @@
{
int i;
int c1, c2;
+ int l1, l2;
const char *s = NULL;
- for (i = 0; maxlen < 0 || i < maxlen; i += MB_PTR2LEN((char_u *)p + i))
+ for (i = 0; maxlen < 0 || i < maxlen;)
{
c1 = PTR2CHAR((char_u *)p + i);
c2 = PTR2CHAR((char_u *)q + i);
@@ -5854,6 +5855,23 @@
return p_fic ? MB_TOUPPER(c1) - MB_TOUPPER(c2)
: c1 - c2; /* no match */
}
+
+ l1 = MB_PTR2LEN((char_u *)p + i);
+ l2 = MB_PTR2LEN((char_u *)q + i);
+ if (l1 != l2)
+ {
+ /* This happens for utf-8 sequences that result
+ * in the same characters such as 0x23 and
+ * 0xf0 0x80 0x80 0xa3 (they both encode
+ * character U+0023). The longer utf8 sequence
+ * should be considered illegal according to
+ * Unicode standards, but it is considered valid
+ * in Vim.
+ */
+ s = (l1 < l2) ? p : q;
+ break;
+ }
+ i += l1;
}
if (s == NULL) /* "i" ran into "maxlen" */
return 0;
