Hi afl-fuzz found a heap buffer overflow in vim-7.4.2321 and older. At least vim-7.4.52 in xubuntu-14.04 is also affected so it's an old bug.
Steps to reproduce: $ cat overflow.vim norm oxx exe "norm 2\<c-f>" exe "norm 2\<c-b>" $ valgrind vim -u NONE -S overflow.vim -c 'q!' 2> log log file contains: ==13019== Memcheck, a memory error detector ==13019== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==13019== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==13019== Command: vim -u NONE -S overflow.vim -c q! ==13019== ==13019== Invalid read of size 1 ==13019== at 0x813051D: utf_head_off (mbyte.c:3740) ==13019== by 0x8130C6D: mb_adjustpos (mbyte.c:4022) ==13019== by 0x8130C14: mb_adjust_cursor (mbyte.c:4003) ==13019== by 0x8134B1A: normal_cmd (normal.c:1291) ==13019== by 0x80C29EE: exec_normal (ex_docmd.c:10250) ==13019== by 0x80C29A9: exec_normal_cmd (ex_docmd.c:10233) ==13019== by 0x80C27E8: ex_normal (ex_docmd.c:10142) ==13019== by 0x80B6DE7: do_one_cmd (ex_docmd.c:2962) ==13019== by 0x80B3B90: do_cmdline (ex_docmd.c:1110) ==13019== by 0x8085D0E: ex_execute (eval.c:8344) ==13019== by 0x80B6DE7: do_one_cmd (ex_docmd.c:2962) ==13019== by 0x80B3B90: do_cmdline (ex_docmd.c:1110) ==13019== Address 0x54fab68 is 0 bytes after a block of size 4,096 alloc'd ==13019== at 0x402C19C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==13019== by 0x8123937: lalloc (misc2.c:920) ==13019== by 0x8123827: alloc (misc2.c:818) ==13019== by 0x823E9C1: mf_alloc_bhdr (memfile.c:907) ==13019== by 0x823E06A: mf_new (memfile.c:381) ==13019== by 0x810B6DF: ml_new_data (memline.c:3513) ==13019== by 0x8105E0C: ml_open (memline.c:400) ==13019== by 0x805334F: open_buffer (buffer.c:160) ==13019== by 0x823B5BB: create_windows (main.c:2668) ==13019== by 0x8238CD1: vim_main2 (main.c:704) ==13019== by 0x8238798: main (main.c:415) Regards Dominique PS: I'm finding more bugs with afl-fuzz these days as I managed to speed up fuzzing and also because coverage of vim tests (used as input for fuzzing) has increased lately. -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
