Hi afl-fuzz found another case which accesses invalid memory (beyond end of string) in Vim-7.4.1051 and older.
Steps to reproduce: $ valgrind vim -u NONE -N -S vg-error.vim 2> vg.log ... where vg-error.vim is the nonsensical attached 2-lines file: $ cat vg-error.vim syn cluster a add=t "\|s*\|\s*" n syn region l start="\i" skip="" end="" contains=r Valgrind log file vg.log contains: ==23851== Invalid read of size 1 ==23851== at 0x5A37B1: find_endpos (syntax.c:3048) ==23851== by 0x5A307F: update_si_end (syntax.c:2820) ==23851== by 0x5A2620: push_next_match (syntax.c:2513) ==23851== by 0x5A1E41: syn_current_attr (syntax.c:2270) ==23851== by 0x5A10C4: get_syntax_attr (syntax.c:1854) ==23851== by 0x560A7E: win_line (screen.c:4378) ==23851== by 0x55B683: win_update (screen.c:2013) ==23851== by 0x558E27: update_screen (screen.c:680) ==23851== by 0x5DC269: main_loop (main.c:1256) ==23851== by 0x5DBDF3: main (main.c:1052) ==23851== Address 0x7656974 is 0 bytes after a block of size 4 alloc'd ==23851== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==23851== by 0x4E3347: lalloc (misc2.c:921) ==23851== by 0x4E3255: alloc (misc2.c:820) ==23851== by 0x4E3422: vim_strsave (misc2.c:1243) ==23851== by 0x4C1855: ml_replace (memline.c:3134) ==23851== by 0x45EDD7: do_sub (ex_cmds.c:5220) ==23851== by 0x46EAD4: do_one_cmd (ex_docmd.c:2962) ==23851== by 0x46B7D3: do_cmdline (ex_docmd.c:1133) ==23851== by 0x469591: do_source (ex_cmds2.c:3396) ==23851== by 0x468BBF: cmd_source (ex_cmds2.c:3005) ==23851== by 0x468B11: ex_source (ex_cmds2.c:2978) ==23851== by 0x46EAD4: do_one_cmd (ex_docmd.c:2962) Code near syntax.c:3048: 3033 line = ml_get_buf(syn_buf, startpos->lnum, FALSE); 3034 3035 /* take care of an empty match or negative offset */ 3036 if (pos.col <= matchcol) 3037 ++matchcol; 3038 else if (pos.col <= regmatch.endpos[0].col) 3039 matchcol = pos.col; 3040 else 3041 /* Be careful not to jump over the NUL at the end-of-line */ 3042 for (matchcol = regmatch.endpos[0].col; 3043 line[matchcol] != NUL && matchcol < pos.col; 3044 ++matchcol) 3045 ; 3046 3047 /* if the skip pattern includes end-of-line, break here */ !!3048 if (line[matchcol] == NUL) 3049 break; Adding some debug printf, I can see that at line 3048: * matchcol is 4, and was set at line 3037 * STRLEN(line) is only 3, hence the error when accessing line[machcol]. It's not clear to me how to fix it. Regards Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
vg-error.vim
Description: Binary data
