Dominique Pellé wrote: > afl-fuzz found another case which accesses > invalid memory (beyond end of string) in > Vim-7.4.1051 and older. > > Steps to reproduce: > > $ valgrind vim -u NONE -N -S vg-error.vim 2> vg.log > > ... where vg-error.vim is the nonsensical attached 2-lines file: > > $ cat vg-error.vim > syn cluster a add=t "\|s*\|\s*" n > syn region l start="\i" skip="" end="" contains=r > > > Valgrind log file vg.log contains: > > ==23851== Invalid read of size 1 > ==23851== at 0x5A37B1: find_endpos (syntax.c:3048) > ==23851== by 0x5A307F: update_si_end (syntax.c:2820) > ==23851== by 0x5A2620: push_next_match (syntax.c:2513) > ==23851== by 0x5A1E41: syn_current_attr (syntax.c:2270) > ==23851== by 0x5A10C4: get_syntax_attr (syntax.c:1854) > ==23851== by 0x560A7E: win_line (screen.c:4378) > ==23851== by 0x55B683: win_update (screen.c:2013) > ==23851== by 0x558E27: update_screen (screen.c:680) > ==23851== by 0x5DC269: main_loop (main.c:1256) > ==23851== by 0x5DBDF3: main (main.c:1052) > ==23851== Address 0x7656974 is 0 bytes after a block of size 4 alloc'd > ==23851== at 0x4C2AB80: malloc (in > /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) > ==23851== by 0x4E3347: lalloc (misc2.c:921) > ==23851== by 0x4E3255: alloc (misc2.c:820) > ==23851== by 0x4E3422: vim_strsave (misc2.c:1243) > ==23851== by 0x4C1855: ml_replace (memline.c:3134) > ==23851== by 0x45EDD7: do_sub (ex_cmds.c:5220) > ==23851== by 0x46EAD4: do_one_cmd (ex_docmd.c:2962) > ==23851== by 0x46B7D3: do_cmdline (ex_docmd.c:1133) > ==23851== by 0x469591: do_source (ex_cmds2.c:3396) > ==23851== by 0x468BBF: cmd_source (ex_cmds2.c:3005) > ==23851== by 0x468B11: ex_source (ex_cmds2.c:2978) > ==23851== by 0x46EAD4: do_one_cmd (ex_docmd.c:2962) > > Code near syntax.c:3048: > > 3033 line = ml_get_buf(syn_buf, startpos->lnum, FALSE); > 3034 > 3035 /* take care of an empty match or negative offset */ > 3036 if (pos.col <= matchcol) > 3037 ++matchcol; > 3038 else if (pos.col <= regmatch.endpos[0].col) > 3039 matchcol = pos.col; > 3040 else > 3041 /* Be careful not to jump over the NUL at the end-of-line */ > 3042 for (matchcol = regmatch.endpos[0].col; > 3043 line[matchcol] != NUL && matchcol < pos.col; > 3044 ++matchcol) > 3045 ; > 3046 > 3047 /* if the skip pattern includes end-of-line, break here */ > !!3048 if (line[matchcol] == NUL) > 3049 break; > > Adding some debug printf, I can see that at line 3048: > * matchcol is 4, and was set at line 3037 > * STRLEN(line) is only 3, hence the error when accessing line[machcol]. > > It's not clear to me how to fix it.
Thanks for the report. I think we should just check that matchcol is past the end of the line instead of checking for it pointing to the NUL. I can see it happens in line 3037, changing that line doesn't look like the right solution. -- BEDEVERE: How do you know so much about swallows? ARTHUR: Well you have to know these things when you're a king, you know. "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD /// Bram Moolenaar -- b...@moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org /// -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.