Dominique Pellé wrote:
> afl-fuzz found another invalid memory access in
> vim-8.0.373 and older:
>
> $ valgrind vim -u NONE -e -s -c's/^/x' -csc 2>log
>
> And log contains:
>
> ==5629== Memcheck, a memory error detector
> ==5629== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
> ==5629== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright
> info
> ==5629== Command: ./vim -u NONE -e -s -cs/^/x -csc
> ==5629==
> ==5629== Invalid read of size 1
> ==5629== at 0x4CC1D0: utf_head_off (mbyte.c:3746)
> ==5629== by 0x5A939E: getvcol (charset.c:1307)
> ==5629== by 0x453949: do_sub (ex_cmds.c:5291)
> ==5629== by 0x469B04: do_one_cmd (ex_docmd.c:2981)
> ==5629== by 0x469B04: do_cmdline (ex_docmd.c:1120)
> ==5629== by 0x5AE67B: exe_commands (main.c:2905)
> ==5629== by 0x5AE67B: vim_main2 (main.c:781)
> ==5629== by 0x40B4C5: main (main.c:415)
> ==5629== Address 0x85165ff is 1 bytes before a block of size 2 alloc'd
> ==5629== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299)
> ==5629== by 0x4C1EBB: lalloc (misc2.c:942)
> ==5629== by 0x4C28BD: alloc (misc2.c:840)
> ==5629== by 0x4C28BD: vim_strsave (misc2.c:1285)
> ==5629== by 0x4ACD87: ml_replace (memline.c:3094)
> ==5629== by 0x452B6A: do_sub (ex_cmds.c:5703)
> ==5629== by 0x469B04: do_one_cmd (ex_docmd.c:2981)
> ==5629== by 0x469B04: do_cmdline (ex_docmd.c:1120)
> ==5629== by 0x5AE67B: exe_commands (main.c:2905)
> ==5629== by 0x5AE67B: vim_main2 (main.c:781)
> ==5629== by 0x40B4C5: main (main.c:415)
>
> Attached patch avoids the bug, but it looks more like a
> workaround than a proper fix.
Thanks for finding this bug. Yeah, that's not the right place to fix
it. Should check for a negative column in do_sub().
I also managed to reproduce it in a test. And found a hang in Ex mode
while doing that.
--
Far back in the mists of ancient time, in the great and glorious days of the
former Galactic Empire, life was wild, rich and largely tax free.
Mighty starships plied their way between exotic suns, seeking adventure and
reward among the furthest reaches of Galactic space. In those days, spirits
were brave, the stakes were high, men were real men, women were real women
and small furry creatures from Alpha Centauri were real small furry creatures
from Alpha Centauri. And all dared to brave unknown terrors, to do mighty
deeds, to boldly split infinitives that no man had split before -- and thus
was the Empire forged.
-- Douglas Adams, "The Hitchhiker's Guide to the Galaxy"
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
