Christian Brabandt wrote: > On So, 09 Jul 2017, Bram Moolenaar wrote: > > > > > James McCoy wrote: > > > > > A few issues were reported on RedHat's bug tracker[0] which have been > > > assigned CVE-2017-11109. I took an initial look at them and reduced the > > > fuzzer-created scripts so they're clearer (especially for POC2). > > > > > > [0]: https://bugzilla.redhat.com/show_bug.cgi?id=1468492 > > > > > > I've also attached a patch that resolves the issue for POC1. Below are > > > the ASAN tracebacks for each issue, all using 8.0.0702. > > > > I think I fixed POC1, however for POC2 and POC3 I can't really > > see what the problem is. Perhaps it requires ASAN, valgrind won't be > > sufficient? > > POC2 crashes here at ex_getln.c > > 971 if (ccline.cmdpos > 0) > 972 { > 973 char_u *p; > 974 > 975 j = ccline.cmdpos; > 976 p = ccline.cmdbuff + j; > 977 #ifdef FEAT_MBYTE > 978 if (has_mbyte) > 979 { > 980 p = mb_prevptr(ccline.cmdbuff, p); > > > ccline.cmdbuff is NULL, I think because of an earlier call to open_cmdwin > setting ccline.cmdbuff=NULL > > This patch fixes the crash:
Thanks for looking into this. Dealing with cmdbuff being NULL works to fix this specific problem, but it is dangerous anyway. Instead let's make the cmdbuff empty, that avoids similar problems. -- The coffee just wasn't strong enough to defend itself -- Tom Waits /// Bram Moolenaar -- b...@moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org /// -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
