Re: [CVE-2017-11109] Reduced samples and patch

[Christian Brabandt]

On So, 09 Jul 2017, Bram Moolenaar wrote:

> 
> James McCoy wrote:
> 
> > A few issues were reported on RedHat's bug tracker[0] which have been
> > assigned CVE-2017-11109.  I took an initial look at them and reduced the
> > fuzzer-created scripts so they're clearer (especially for POC2).
> > 
> > [0]: https://bugzilla.redhat.com/show_bug.cgi?id=1468492
> > 
> > I've also attached a patch that resolves the issue for POC1.  Below are
> > the ASAN tracebacks for each issue, all using 8.0.0702.
> 
> I think I fixed POC1, however for POC2 and POC3 I can't really
> see what the problem is.  Perhaps it requires ASAN, valgrind won't be
> sufficient?

POC2 crashes here at ex_getln.c

   971                 if (ccline.cmdpos > 0)
   972                 {
   973                     char_u *p;
   974
   975                     j = ccline.cmdpos;
   976                     p = ccline.cmdbuff + j;
   977 #ifdef FEAT_MBYTE
   978                     if (has_mbyte)
   979                     {
   980                         p = mb_prevptr(ccline.cmdbuff, p);


ccline.cmdbuff is NULL, I think because of an earlier call to open_cmdwin 
setting ccline.cmdbuff=NULL

This patch fixes the crash:

diff --git a/src/ex_getln.c b/src/ex_getln.c
index a888ba412..9747956f0 100644
--- a/src/ex_getln.c
+++ b/src/ex_getln.c
@@ -791,6 +791,7 @@ getcmdline(
            /* In Ex mode a backslash escapes a newline. */
            if (exmode_active
                    && c != ESC
+                   && ccline.cmdbuff
                    && ccline.cmdpos == ccline.cmdlen
                    && ccline.cmdpos > 0
                    && ccline.cmdbuff[ccline.cmdpos - 1] == '\\')
@@ -968,7 +969,7 @@ getcmdline(
                    ccline.cmdpos += mb_off_next(ccline.cmdbuff,
                                              ccline.cmdbuff + ccline.cmdpos);
 #endif
-               if (ccline.cmdpos > 0)
+               if (ccline.cmdbuff && ccline.cmdpos > 0)
                {
                    char_u *p;



Best,
Christian
-- 
Alles Lebendige bildet eine Atmosphäre um sich her.
                -- Goethe, Maximen und Reflektionen, Nr. 819

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.