Dominique Pellé wrote: > The attached (nonsensical) vim script found by afl-fuzz > causes a read heap overflow in Vim-7.4.2323 and older: > > $ valgrind --num-callers=40 ./vim -u NONE -S overflow2.vim 2> log > > ==8161== Memcheck, a memory error detector > ==8161== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. > ==8161== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright > info > ==8161== Command: ./vim -u NONE -S overflow2.vim > ==8161== > ==8161== Invalid read of size 1 > ==8161== at 0x4F483B: utf_head_off (mbyte.c:3740) > ==8161== by 0x4F4F2B: mb_adjustpos (mbyte.c:4022) > ==8161== by 0x50603E: get_op_vcol (normal.c:9454) > ==8161== by 0x4F8A01: do_pending_operator (normal.c:1621) > ==8161== by 0x512DC8: clip_get_selection (ops.c:6428) > ==8161== by 0x5C657C: clip_copy_selection (ui.c:544) > ==8161== by 0x5C668E: clip_auto_select (ui.c:614) > ==8161== by 0x4F80FB: do_pending_operator (normal.c:1395) > ==8161== by 0x4F7C32: normal_cmd (normal.c:1182) > ==8161== by 0x47DF5C: exec_normal (ex_docmd.c:10250) > ==8161== by 0x47DF1B: exec_normal_cmd (ex_docmd.c:10233) > ==8161== by 0x47DD2D: ex_normal (ex_docmd.c:10142) > ==8161== by 0x4718D4: do_one_cmd (ex_docmd.c:2962) > ==8161== by 0x46E355: do_cmdline (ex_docmd.c:1110) > ==8161== by 0x46C017: do_source (ex_cmds2.c:4097) > ==8161== by 0x46B629: cmd_source (ex_cmds2.c:3710) > ==8161== by 0x46B57B: ex_source (ex_cmds2.c:3685) > ==8161== by 0x4718D4: do_one_cmd (ex_docmd.c:2962) > ==8161== by 0x46E355: do_cmdline (ex_docmd.c:1110) > ==8161== by 0x46D991: do_cmdline_cmd (ex_docmd.c:715) > ==8161== by 0x5FA121: exe_commands (main.c:2896) > ==8161== by 0x5F7506: vim_main2 (main.c:781) > ==8161== by 0x5F6EB0: main (main.c:415) > ==8161== Address 0x76c11d2 is 1 bytes after a block of size 1 alloc'd > ==8161== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299) > ==8161== by 0x4E699B: lalloc (misc2.c:920) > ==8161== by 0x4E6868: alloc (misc2.c:818) > ==8161== by 0x4E6E0D: vim_strsave (misc2.c:1263) > ==8161== by 0x4CC1CC: ml_replace (memline.c:3092) > ==8161== by 0x450239: f_setline (evalfunc.c:9866) > ==8161== by 0x441378: call_internal_func (evalfunc.c:999) > ==8161== by 0x5D3EC6: call_func (userfunc.c:1372) > ==8161== by 0x5D1C7D: get_func_tv (userfunc.c:455) > ==8161== by 0x5D7A50: ex_call (userfunc.c:2981) > ==8161== by 0x4718D4: do_one_cmd (ex_docmd.c:2962) > ==8161== by 0x46E355: do_cmdline (ex_docmd.c:1110) > ==8161== by 0x46C017: do_source (ex_cmds2.c:4097) > ==8161== by 0x46B629: cmd_source (ex_cmds2.c:3710) > ==8161== by 0x46B57B: ex_source (ex_cmds2.c:3685) > ==8161== by 0x4718D4: do_one_cmd (ex_docmd.c:2962) > ==8161== by 0x46E355: do_cmdline (ex_docmd.c:1110) > ==8161== by 0x46D991: do_cmdline_cmd (ex_docmd.c:715) > ==8161== by 0x5FA121: exe_commands (main.c:2896) > ==8161== by 0x5F7506: vim_main2 (main.c:781) > ==8161== by 0x5F6EB0: main (main.c:415) > > vim-7.4.52 that comes with xubuntu-14.04 does not have > the bug. "git bisect" indicates that the regression was > introduced in vim-7.4.753: > > === > 74db34cc9162445e3d500ab2d61c5c19ce9af0ca is the first bad commit > commit 74db34cc9162445e3d500ab2d61c5c19ce9af0ca > Author: Bram Moolenaar <[email protected]> > Date: Thu Jun 25 13:30:46 2015 +0200 > > patch 7.4.753 > Problem: Appending in Visual mode with 'linebreak' set does not work > properly. Also when 'selection' is "exclusive". (Ingo Karkat) > Solution: Recalculate virtual columns. (Christian Brabandt) > ===
Well, that only triggers an existing problem. The actual problem is that when setline() changes the line length the start position of the Visual area becomes invalid. There is no check for that. -- hundred-and-one symptoms of being an internet addict: 167. You have more than 200 websites bookmarked. /// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org /// -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
