Hi

Vim-8.0.880 and older writes to invalid memory with the
attached nonsensical script:

$ vim -u NONE -S bug-expand_env_esc.vim

I have no idea what this strange script found by afl-fuzz
should do, but obviously it should not overflow memory.

Valgrind says:

==11853== Memcheck, a memory error detector
==11853== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==11853== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==11853== Command: vim -u NONE -S c.vim
==11853==
==11853== Invalid write of size 1
==11853==    at 0x4BE229: expand_env_esc (misc1.c:4191)
==11853==    by 0x469E0C: expand_filename (ex_docmd.c:5177)
==11853==    by 0x46ED19: do_one_cmd (ex_docmd.c:2890)
==11853==    by 0x46ED19: do_cmdline (ex_docmd.c:1089)
==11853==    by 0x4556E3: global_exe (ex_cmds.c:6093)
==11853==    by 0x455B0C: ex_global (ex_cmds.c:6054)
==11853==    by 0x46B7B3: do_one_cmd (ex_docmd.c:2952)
==11853==    by 0x46B7B3: do_cmdline (ex_docmd.c:1089)
==11853==    by 0x45F661: do_source (ex_cmds2.c:4377)
==11853==    by 0x46016B: cmd_source (ex_cmds2.c:3990)
==11853==    by 0x46B7B3: do_one_cmd (ex_docmd.c:2952)
==11853==    by 0x46B7B3: do_cmdline (ex_docmd.c:1089)
==11853==    by 0x5C6010: exe_commands (main.c:2968)
==11853==    by 0x5C6010: vim_main2 (main.c:805)
==11853==    by 0x40A088: main (main.c:419)
==11853==  Address 0x84cd540 is 0 bytes after a block of size 4,096 alloc'd
==11853==    at 0x4C2DB8F: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==11853==    by 0x4C6DD0: lalloc (misc2.c:942)
==11853==    by 0x5C4883: common_init (main.c:954)
==11853==    by 0x409A7B: main (main.c:177)
(followed by more errors)

Attached patch fixes it.

I have not created a tests as I find this case too ugly.
If we can reproduce the overflow with a cleaner case,
then we can consider adding a test.

Regards
Dominique

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Attachment: bug-expand_env_esc.vim
Description: Binary data

diff --git a/src/misc1.c b/src/misc1.c
index 4e51bed..41028e6 100644
--- a/src/misc1.c
+++ b/src/misc1.c
@@ -4180,12 +4180,15 @@ expand_env_esc(
 	    }
 	    else if ((src[0] == ' ' || src[0] == ',') && !one)
 		at_start = TRUE;
-	    *dst++ = *src++;
-	    --dstlen;
+	    if (dstlen > 0)
+	    {
+		*dst++ = *src++;
+		--dstlen;
 
-	    if (startstr != NULL && src - startstr_len >= srcp
-		    && STRNCMP(src - startstr_len, startstr, startstr_len) == 0)
-		at_start = TRUE;
+		if (startstr != NULL && src - startstr_len >= srcp
+			&& STRNCMP(src - startstr_len, startstr, startstr_len) == 0)
+		    at_start = TRUE;
+	    }
 	}
     }
     *dst = NUL;

Raspunde prin e-mail lui