Re: Buffer overflow when using trunc_string()

Bram Moolenaar Mon, 18 Jul 2016 14:40:13 -0700

Dominique Pellé wrote:

> Bram Moolenaar wrote:
> 
> > Yegappan Lakshmanan wrote:
> >
> >> Running the message_test executable with address sanitizer
> >> enabled and the following test code in message_test.c:
> >>
> >>     trunc_string((char_u *)"a text that fits", buf, 34, 40);
> >>
> >> produces a buffer overflow in utf_head_off():
> >>
> >> AddressSanitizer: global-buffer-overflow mbyte.c:3740 in utf_head_off
> >
> > I ran the test with valgrind but it did not report a problem.
> > Do you have more information/
> 
> Valgrind does not detect overflows in global and stack variables.
> Asan detects them.
> 
> I can reproduce the bug detected by asan with vim-7.4.2067:
> 
> $ diff --git a/src/message_test.c b/src/message_test.c
> index 41b8875..d894677 100644
> --- a/src/message_test.c
> +++ b/src/message_test.c
> @@ -59,6 +59,8 @@ test_trunc_string(void)
> 
>      trunc_string((char_u *)"a text that nott fits", buf, 20, 40);
>      assert(STRCMP(buf, "a text t...nott fits") == 0);
> +
> +    trunc_string((char_u *)"a text that fits", buf, 34, 40);
>  }


OK, if I copy the text to allocated memory then valgrind also finds the
error.  I'll also allocate the buffer, to find any uninitialzed access.
Hmm, quite a bit of extra hassle.

-- 
MORTICIAN:    Bring out your dead!
              [clang]
              Bring out your dead!
              [clang]
              Bring out your dead!
CUSTOMER:     Here's one -- nine pence.
DEAD PERSON:  I'm not dead!
                                  The Quest for the Holy Grail (Monty Python)

 /// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\  an exciting new programming language -- http://www.Zimbu.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Re: Buffer overflow when using trunc_string()

Raspunde prin e-mail lui