Dominique Pellé wrote:
> afl-fuzz found another case which accesses
> invalid memory (beyond end of string) in
> Vim-7.4.1051 and older.
>
> Steps to reproduce:
>
> $ valgrind vim -u NONE -N -S vg-error.vim 2> vg.log
>
> ... where vg-error.vim is the nonsensical attached 2-lines file:
>
> $ cat vg-error.vim
> syn cluster a add=t "\|s*\|\s*" n
> syn region l start="\i" skip="" end="" contains=r
>
>
> Valgrind log file vg.log contains:
>
> ==23851== Invalid read of size 1
> ==23851== at 0x5A37B1: find_endpos (syntax.c:3048)
> ==23851== by 0x5A307F: update_si_end (syntax.c:2820)
> ==23851== by 0x5A2620: push_next_match (syntax.c:2513)
> ==23851== by 0x5A1E41: syn_current_attr (syntax.c:2270)
> ==23851== by 0x5A10C4: get_syntax_attr (syntax.c:1854)
> ==23851== by 0x560A7E: win_line (screen.c:4378)
> ==23851== by 0x55B683: win_update (screen.c:2013)
> ==23851== by 0x558E27: update_screen (screen.c:680)
> ==23851== by 0x5DC269: main_loop (main.c:1256)
> ==23851== by 0x5DBDF3: main (main.c:1052)
> ==23851== Address 0x7656974 is 0 bytes after a block of size 4 alloc'd
> ==23851== at 0x4C2AB80: malloc (in
> /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==23851== by 0x4E3347: lalloc (misc2.c:921)
> ==23851== by 0x4E3255: alloc (misc2.c:820)
> ==23851== by 0x4E3422: vim_strsave (misc2.c:1243)
> ==23851== by 0x4C1855: ml_replace (memline.c:3134)
> ==23851== by 0x45EDD7: do_sub (ex_cmds.c:5220)
> ==23851== by 0x46EAD4: do_one_cmd (ex_docmd.c:2962)
> ==23851== by 0x46B7D3: do_cmdline (ex_docmd.c:1133)
> ==23851== by 0x469591: do_source (ex_cmds2.c:3396)
> ==23851== by 0x468BBF: cmd_source (ex_cmds2.c:3005)
> ==23851== by 0x468B11: ex_source (ex_cmds2.c:2978)
> ==23851== by 0x46EAD4: do_one_cmd (ex_docmd.c:2962)
>
> Code near syntax.c:3048:
>
> 3033 line = ml_get_buf(syn_buf, startpos->lnum, FALSE);
> 3034
> 3035 /* take care of an empty match or negative offset */
> 3036 if (pos.col <= matchcol)
> 3037 ++matchcol;
> 3038 else if (pos.col <= regmatch.endpos[0].col)
> 3039 matchcol = pos.col;
> 3040 else
> 3041 /* Be careful not to jump over the NUL at the end-of-line */
> 3042 for (matchcol = regmatch.endpos[0].col;
> 3043 line[matchcol] != NUL && matchcol < pos.col;
> 3044 ++matchcol)
> 3045 ;
> 3046
> 3047 /* if the skip pattern includes end-of-line, break here */
> !!3048 if (line[matchcol] == NUL)
> 3049 break;
>
> Adding some debug printf, I can see that at line 3048:
> * matchcol is 4, and was set at line 3037
> * STRLEN(line) is only 3, hence the error when accessing line[machcol].
>
> It's not clear to me how to fix it.
Thanks for the report. I think we should just check that matchcol is
past the end of the line instead of checking for it pointing to the NUL.
I can see it happens in line 3037, changing that line doesn't look like
the right solution.
--
BEDEVERE: How do you know so much about swallows?
ARTHUR: Well you have to know these things when you're a king, you know.
"Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
