Dominique wrote:
> Here is another bug with visual mode found by afl-fuzz
> in Vim-8.0.337 and older. It's an old bug since Vim-7.4.52
> already had the bug. I did not check earlier version.
>
> Step to reproduce:
>
> $ valgrind vim -u NONE -c"norm oxX" -c"norm vki'" 2>log
>
> And log contains:
>
> ==3973== Memcheck, a memory error detector
> ==3973== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
> ==3973== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright
> info
> ==3973== Command: vim -u NONE -cnorm\ oxX -cnorm\ vki'
> ==3973==
> ==3973== Invalid read of size 1
> ==3973== at 0x561935: current_quote (search.c:4391)
> ==3973== by 0x4DC6B9: nv_object (normal.c:9250)
> ==3973== by 0x4DC6B9: nv_edit (normal.c:9039)
> ==3973== by 0x4D5E53: normal_cmd (normal.c:1150)
> ==3973== by 0x461DD1: exec_normal (ex_docmd.c:10418)
> ==3973== by 0x461CC8: exec_normal_cmd (ex_docmd.c:10401)
> ==3973== by 0x461CC8: ex_normal (ex_docmd.c:10310)
> ==3973== by 0x45CCFD: do_one_cmd (ex_docmd.c:2981)
> ==3973== by 0x458F5D: do_cmdline (ex_docmd.c:1120)
> ==3973== by 0x5D1EDC: exe_commands (main.c:2905)
> ==3973== by 0x5D1EDC: vim_main2 (main.c:781)
> ==3973== by 0x5D0809: main (main.c:415)
> ==3973== Address 0x76862e0 is 0 bytes after a block of size 4,096 alloc'd
> ==3973== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299)
> ==3973== by 0x4C5A07: lalloc (misc2.c:942)
> ==3973== by 0x5D4155: mf_alloc_bhdr (memfile.c:907)
> ==3973== by 0x5D4155: mf_new (memfile.c:381)
> ==3973== by 0x4A7864: ml_new_data (memline.c:3515)
> ==3973== by 0x4A7864: ml_open (memline.c:400)
> ==3973== by 0x405F34: open_buffer (buffer.c:163)
> ==3973== by 0x5D1A44: create_windows (main.c:2677)
> ==3973== by 0x5D1A44: vim_main2 (main.c:704)
> ==3973== by 0x5D0809: main (main.c:415)
>
> Overflow happens at line search.c:4391:
>
> 4389 /* Find out if we have a quote in the selection. */
> 4390 while (i <= col_end)
> !!4391 if (line[i++] == quotechar)
> 4392 {
> 4393 selected_quote = TRUE;
> 4394 break;
> 4395 }
>
> Before entering the while loop at line 4390, line="" (empty line)
> and col_end=1. So the loop accesses line[1] which is invalid.
> I suppose that it's another case of inconsistency with line
> and cursor position, which I'm not sure how to fix.
It assumes the cursor and the Visual start position are in the same
line. Looks like adding a check that they are actually in the same line
fixes it. These quoted text objects only work inside one line.
--
"You're fired." (1980)
"You're laid off." (1985)
"You're downsized." (1990)
"You're rightsized." (1992)
(Scott Adams - The Dilbert principle)
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
