On Tuesday, February 7, 2017 at 9:36:20 PM UTC-6, shqking wrote: > Hi all. > > Suspicious integer overflow is found in > src/spellfile.c:1607.(https://github.com/vim/vim/blob/master/src/spellfile.c#L1607) > > Signed integer overflow might occur for len * sizeof(int) at line 1607, if > len can hold a value whose range is (0xffff ffff / 4, 0x7fff ffff]. > > Assume that len is 0x4000 0001. len * sizeof(int) would overflow to 0x4, > which is much smaller than the expected result, i.e. 0x1 0000 0004. > As a result, smaller memory space is allocated at line 1607 and buffer > overflow would occur at line 1613. > > Note that len is read for a file fd. > Since I'm not very familiar with the source code of vim, I'm not sure whether > the concrete values of len can be controlled by adversaries or not. > If so, this issue is a critical bug. If not, it's a false positive and please > ignore it. > > Attached please find one possible patch. > Thanks a lot.
Hey there, my name is Riley and I am an undergraduate student studying computer science at the University of Texas at San Antonio. Right now I am conducting an investigation on buffer overflow, and came across this post. I was wondering if you might be able to give me some instructions on how to replicate this bug. Although numerous patches have been released since this bug was found, I need to replicate the issue for my project. So far I have downloaded the source code from github on my machine and edited the version.c (src/version.c) file, commenting out the patches until I hit 321 (patches 322+ fixes the bug). I am not the most experienced at editing source code, so I was wondering if this change would allow me to recreate the bug, or if that file actually does anything beyond referencing/adding each patch to an array. I also went into the spellfile (src/spellfile.c) and looked at the changes made there, but I have not determined whether I should delete the three lines that were added to fix this bug (1598-1600) or just change the code somehow. The variable len is what can cause the overflow to occur (if len = 0x4000 0001 as you said), and len is read from a file fd. So how can I get the size of len to cause the overflow from a file? IS there some sort of command I need to run with vim to cause this to happen? Thank you for any help on this and I find all of this very interesting. -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
