Vim-8.0.873 and older crash with the attached
non nonsensical "crash.vim" script:

$ vim -u NONE -S crash.vim
Vim: Caught deadly signal SEGV
Vim: Finished.
Segmentation fault (core dumped)

Running with valgrind gives:

==4446== Memcheck, a memory error detector
==4446== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==4446== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==4446== Command: vim -u NONE -S crash.vim
==4446== Invalid write of size 1
==4446==    at 0x4C31060: strcpy (in
==4446==    by 0x4BD91E: strcpy (string3.h:110)
==4446==    by 0x4BD91E: home_replace (misc1.c:4644)
==4446==    by 0x47E67F: msg_add_fname (fileio.c:5269)
==4446==    by 0x47E67F: filemess (fileio.c:165)
==4446==    by 0x48246A: readfile (fileio.c:659)
==4446==    by 0x40A060: open_buffer (buffer.c:236)
==4446==    by 0x44FA97: do_ecmd (ex_cmds.c:4185)
==4446==    by 0x466023: do_exedit (ex_docmd.c:8744)
==4446==    by 0x461A47: do_one_cmd (ex_docmd.c:2952)
==4446==    by 0x45DC8D: do_cmdline (ex_docmd.c:1089)
==4446==    by 0x4526C0: global_exe (ex_cmds.c:5914)
==4446==    by 0x4525AA: ex_global (ex_cmds.c:6054)
==4446==    by 0x461A47: do_one_cmd (ex_docmd.c:2952)
==4446==  Address 0x84cc4f1 is 0 bytes after a block of size 1,025 alloc'd
==4446==    at 0x4C2DB8F: malloc (in
==4446==    by 0x4CB857: lalloc (misc2.c:942)
==4446==    by 0x5F034B: common_init (main.c:953)
==4446==    by 0x5EDFE3: main (main.c:177)
(followed by other errors)

The attached patch fixes it, but it might be
only a workaround, as I don't think that the
script should cause to have a long string.

Bug was found using afl-fuzz.


You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Attachment: crash.vim
Description: Binary data

diff --git a/src/misc1.c b/src/misc1.c
index f19c2dc..ac2ce24 100644
--- a/src/misc1.c
+++ b/src/misc1.c
@@ -4641,7 +4641,13 @@ home_replace(
     if (buf != NULL && buf->b_help)
-	STRCPY(dst, gettail(src));
+	char_u *tail = gettail(src);
+	int	taillen = STRLEN(tail);
+	if (taillen < dstlen)
+	    mch_memmove(dst, tail, taillen + 1);
+	else
+	    *dst = NUL;

Raspunde prin e-mail lui