Hi The attached (nonsensical) vim script found by afl-fuzz causes a read heap overflow in Vim-7.4.2323 and older:
$ valgrind --num-callers=40 ./vim -u NONE -S overflow2.vim 2> log ==8161== Memcheck, a memory error detector ==8161== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==8161== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info ==8161== Command: ./vim -u NONE -S overflow2.vim ==8161== ==8161== Invalid read of size 1 ==8161== at 0x4F483B: utf_head_off (mbyte.c:3740) ==8161== by 0x4F4F2B: mb_adjustpos (mbyte.c:4022) ==8161== by 0x50603E: get_op_vcol (normal.c:9454) ==8161== by 0x4F8A01: do_pending_operator (normal.c:1621) ==8161== by 0x512DC8: clip_get_selection (ops.c:6428) ==8161== by 0x5C657C: clip_copy_selection (ui.c:544) ==8161== by 0x5C668E: clip_auto_select (ui.c:614) ==8161== by 0x4F80FB: do_pending_operator (normal.c:1395) ==8161== by 0x4F7C32: normal_cmd (normal.c:1182) ==8161== by 0x47DF5C: exec_normal (ex_docmd.c:10250) ==8161== by 0x47DF1B: exec_normal_cmd (ex_docmd.c:10233) ==8161== by 0x47DD2D: ex_normal (ex_docmd.c:10142) ==8161== by 0x4718D4: do_one_cmd (ex_docmd.c:2962) ==8161== by 0x46E355: do_cmdline (ex_docmd.c:1110) ==8161== by 0x46C017: do_source (ex_cmds2.c:4097) ==8161== by 0x46B629: cmd_source (ex_cmds2.c:3710) ==8161== by 0x46B57B: ex_source (ex_cmds2.c:3685) ==8161== by 0x4718D4: do_one_cmd (ex_docmd.c:2962) ==8161== by 0x46E355: do_cmdline (ex_docmd.c:1110) ==8161== by 0x46D991: do_cmdline_cmd (ex_docmd.c:715) ==8161== by 0x5FA121: exe_commands (main.c:2896) ==8161== by 0x5F7506: vim_main2 (main.c:781) ==8161== by 0x5F6EB0: main (main.c:415) ==8161== Address 0x76c11d2 is 1 bytes after a block of size 1 alloc'd ==8161== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299) ==8161== by 0x4E699B: lalloc (misc2.c:920) ==8161== by 0x4E6868: alloc (misc2.c:818) ==8161== by 0x4E6E0D: vim_strsave (misc2.c:1263) ==8161== by 0x4CC1CC: ml_replace (memline.c:3092) ==8161== by 0x450239: f_setline (evalfunc.c:9866) ==8161== by 0x441378: call_internal_func (evalfunc.c:999) ==8161== by 0x5D3EC6: call_func (userfunc.c:1372) ==8161== by 0x5D1C7D: get_func_tv (userfunc.c:455) ==8161== by 0x5D7A50: ex_call (userfunc.c:2981) ==8161== by 0x4718D4: do_one_cmd (ex_docmd.c:2962) ==8161== by 0x46E355: do_cmdline (ex_docmd.c:1110) ==8161== by 0x46C017: do_source (ex_cmds2.c:4097) ==8161== by 0x46B629: cmd_source (ex_cmds2.c:3710) ==8161== by 0x46B57B: ex_source (ex_cmds2.c:3685) ==8161== by 0x4718D4: do_one_cmd (ex_docmd.c:2962) ==8161== by 0x46E355: do_cmdline (ex_docmd.c:1110) ==8161== by 0x46D991: do_cmdline_cmd (ex_docmd.c:715) ==8161== by 0x5FA121: exe_commands (main.c:2896) ==8161== by 0x5F7506: vim_main2 (main.c:781) ==8161== by 0x5F6EB0: main (main.c:415) vim-7.4.52 that comes with xubuntu-14.04 does not have the bug. "git bisect" indicates that the regression was introduced in vim-7.4.753: === 74db34cc9162445e3d500ab2d61c5c19ce9af0ca is the first bad commit commit 74db34cc9162445e3d500ab2d61c5c19ce9af0ca Author: Bram Moolenaar <[email protected]> Date: Thu Jun 25 13:30:46 2015 +0200 patch 7.4.753 Problem: Appending in Visual mode with 'linebreak' set does not work properly. Also when 'selection' is "exclusive". (Ingo Karkat) Solution: Recalculate virtual columns. (Christian Brabandt) === Regards Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
overflow2.vim
Description: Binary data
