Dominique Pellé wrote: > Hi > > vim-7.4.1967 (and earlier) accesses invalid memory > when running this command: > > $ valgrind --num-callers=20 vim -u NONE -c 'ec "\<C-">' -c q 2> log > > log file then contains: > > =5725== Memcheck, a memory error detector > ==5725== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. > ==5725== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info > ==5725== Command: vim -u NONE -c ec\ "\\\<C-"\> -c q > ==5725== > ==5725== Invalid read of size 1 > ==5725== at 0x414598: skipwhite (charset.c:1522) > ==5725== by 0x4346EE: eval7 (eval.c:5346) > ==5725== by 0x433EC2: eval6 (eval.c:4964) > ==5725== by 0x4339A4: eval5 (eval.c:4780) > ==5725== by 0x432C67: eval4 (eval.c:4479) > ==5725== by 0x432AA4: eval3 (eval.c:4396) > ==5725== by 0x43291C: eval2 (eval.c:4328) > ==5725== by 0x432753: eval1 (eval.c:4256) > ==5725== by 0x453969: ex_echo (eval.c:23765) > ==5725== by 0x475BE4: do_one_cmd (ex_docmd.c:2923) > ==5725== by 0x4728D2: do_cmdline (ex_docmd.c:1108) > ==5725== by 0x471F0E: do_cmdline_cmd (ex_docmd.c:713) > ==5725== by 0x5F67E3: exe_commands (main.c:2944) > ==5725== by 0x5F3D4B: main (main.c:959) > ==5725== Address 0x769ec8b is 0 bytes after a block of size 11 alloc'd > ==5725== at 0x4C2AB80: malloc (in > /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) > ==5725== by 0x4ECEBF: lalloc (misc2.c:920) > ==5725== by 0x4ECD8C: alloc (misc2.c:818) > ==5725== by 0x4ED319: vim_strsave (misc2.c:1253) > ==5725== by 0x4726FC: do_cmdline (ex_docmd.c:1038) > ==5725== by 0x471F0E: do_cmdline_cmd (ex_docmd.c:713) > ==5725== by 0x5F67E3: exe_commands (main.c:2944) > ==5725== by 0x5F3D4B: main (main.c:959) > (more errors after that...) > > Bug was found using afl-fuzz. > > I'm not sure whether \<C-"> in a string is valid syntax, but > it should not cause invalid memory access. > > I'll try to debug it during next weekend but > maybe someone else can fix it earlier. > > Regards > Dominique
Hi Attached is a patch that fixes the bug. All tests pass, but I'm not sure that the fix is correct. As far as I can tell spatial keys like <c-"> should not be allowed. Please check. Regards Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
diff --git a/src/misc2.c b/src/misc2.c index 1018e4b..9ecf8e9 100644 --- a/src/misc2.c +++ b/src/misc2.c @@ -2741,8 +2741,8 @@ find_special_key( else #endif l = 1; - if (bp[l + 1] == '>') - bp += l; /* anything accepted, like <C-?> */ + if (bp[l] != '"' && bp[l + 1] == '>') + bp += l; /* anything accepted, like <C-?>, except <C-"> */ } } if (bp[0] == 't' && bp[1] == '_' && bp[2] && bp[3])
