Dominique Pellé wrote:
> afl-fuzz found a heap buffer overflow in vim-7.4.2321
> and older. At least vim-7.4.52 in xubuntu-14.04 is
> also affected so it's an old bug.
>
> Steps to reproduce:
>
> $ cat overflow.vim
> norm oxx
> exe "norm 2\<c-f>"
> exe "norm 2\<c-b>"
>
> $ valgrind vim -u NONE -S overflow.vim -c 'q!' 2> log
>
> log file contains:
>
> ==13019== Memcheck, a memory error detector
> ==13019== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
> ==13019== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
> ==13019== Command: vim -u NONE -S overflow.vim -c q!
> ==13019==
> ==13019== Invalid read of size 1
> ==13019== at 0x813051D: utf_head_off (mbyte.c:3740)
> ==13019== by 0x8130C6D: mb_adjustpos (mbyte.c:4022)
> ==13019== by 0x8130C14: mb_adjust_cursor (mbyte.c:4003)
> ==13019== by 0x8134B1A: normal_cmd (normal.c:1291)
> ==13019== by 0x80C29EE: exec_normal (ex_docmd.c:10250)
> ==13019== by 0x80C29A9: exec_normal_cmd (ex_docmd.c:10233)
> ==13019== by 0x80C27E8: ex_normal (ex_docmd.c:10142)
> ==13019== by 0x80B6DE7: do_one_cmd (ex_docmd.c:2962)
> ==13019== by 0x80B3B90: do_cmdline (ex_docmd.c:1110)
> ==13019== by 0x8085D0E: ex_execute (eval.c:8344)
> ==13019== by 0x80B6DE7: do_one_cmd (ex_docmd.c:2962)
> ==13019== by 0x80B3B90: do_cmdline (ex_docmd.c:1110)
> ==13019== Address 0x54fab68 is 0 bytes after a block of size 4,096 alloc'd
> ==13019== at 0x402C19C: malloc (in
> /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
> ==13019== by 0x8123937: lalloc (misc2.c:920)
> ==13019== by 0x8123827: alloc (misc2.c:818)
> ==13019== by 0x823E9C1: mf_alloc_bhdr (memfile.c:907)
> ==13019== by 0x823E06A: mf_new (memfile.c:381)
> ==13019== by 0x810B6DF: ml_new_data (memline.c:3513)
> ==13019== by 0x8105E0C: ml_open (memline.c:400)
> ==13019== by 0x805334F: open_buffer (buffer.c:160)
> ==13019== by 0x823B5BB: create_windows (main.c:2668)
> ==13019== by 0x8238CD1: vim_main2 (main.c:704)
> ==13019== by 0x8238798: main (main.c:415)
Well, that must have happened many times. The cursor is beyond the end
of the line.
> PS: I'm finding more bugs with afl-fuzz these days
> as I managed to speed up fuzzing and also because
> coverage of vim tests (used as input for fuzzing) has
> increased lately.
Keep them coming!
--
hundred-and-one symptoms of being an internet addict:
160. You get in the elevator and double-click the button for the floor
you want.
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
