[bug] invalid memory access in substitute with confirm flag in silent mode

[Dominique Pellé]

Hi

afl-fuzz found another invalid memory access in
vim-8.0.373 and older:

$ valgrind vim -u NONE -e -s -c's/^/x' -csc 2>log

And log contains:

==5629== Memcheck, a memory error detector
==5629== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==5629== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==5629== Command: ./vim -u NONE -e -s -cs/^/x -csc
==5629==
==5629== Invalid read of size 1
==5629==    at 0x4CC1D0: utf_head_off (mbyte.c:3746)
==5629==    by 0x5A939E: getvcol (charset.c:1307)
==5629==    by 0x453949: do_sub (ex_cmds.c:5291)
==5629==    by 0x469B04: do_one_cmd (ex_docmd.c:2981)
==5629==    by 0x469B04: do_cmdline (ex_docmd.c:1120)
==5629==    by 0x5AE67B: exe_commands (main.c:2905)
==5629==    by 0x5AE67B: vim_main2 (main.c:781)
==5629==    by 0x40B4C5: main (main.c:415)
==5629==  Address 0x85165ff is 1 bytes before a block of size 2 alloc'd
==5629==    at 0x4C2ABF5: malloc (vg_replace_malloc.c:299)
==5629==    by 0x4C1EBB: lalloc (misc2.c:942)
==5629==    by 0x4C28BD: alloc (misc2.c:840)
==5629==    by 0x4C28BD: vim_strsave (misc2.c:1285)
==5629==    by 0x4ACD87: ml_replace (memline.c:3094)
==5629==    by 0x452B6A: do_sub (ex_cmds.c:5703)
==5629==    by 0x469B04: do_one_cmd (ex_docmd.c:2981)
==5629==    by 0x469B04: do_cmdline (ex_docmd.c:1120)
==5629==    by 0x5AE67B: exe_commands (main.c:2905)
==5629==    by 0x5AE67B: vim_main2 (main.c:781)
==5629==    by 0x40B4C5: main (main.c:415)

Attached patch avoids the bug, but it looks more like a
workaround than a proper fix.

Regards
Dominique

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

diff --git a/src/charset.c b/src/charset.c
index 984d765..ceae116 100644
--- a/src/charset.c
+++ b/src/charset.c
@@ -1298,7 +1298,7 @@ getvcol(
     {
 	/* Special check for an empty line, which can happen on exit, when
 	 * ml_get_buf() always returns an empty string. */
-	if (*ptr == NUL)
+	if (*ptr == NUL || pos->col < 0)
 	    pos->col = 0;
 	posptr = ptr + pos->col;
 #ifdef FEAT_MBYTE