Dominique wrote:

> Vim-8.0.880 and older writes to invalid memory with the
> attached nonsensical script:
> 
> $ vim -u NONE -S bug-expand_env_esc.vim
> 
> I have no idea what this strange script found by afl-fuzz
> should do, but obviously it should not overflow memory.
> 
> Valgrind says:
> 
> ==11853== Memcheck, a memory error detector
> ==11853== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
> ==11853== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
> ==11853== Command: vim -u NONE -S c.vim
> ==11853==
> ==11853== Invalid write of size 1
> ==11853==    at 0x4BE229: expand_env_esc (misc1.c:4191)
> ==11853==    by 0x469E0C: expand_filename (ex_docmd.c:5177)
> ==11853==    by 0x46ED19: do_one_cmd (ex_docmd.c:2890)
> ==11853==    by 0x46ED19: do_cmdline (ex_docmd.c:1089)
> ==11853==    by 0x4556E3: global_exe (ex_cmds.c:6093)
> ==11853==    by 0x455B0C: ex_global (ex_cmds.c:6054)
> ==11853==    by 0x46B7B3: do_one_cmd (ex_docmd.c:2952)
> ==11853==    by 0x46B7B3: do_cmdline (ex_docmd.c:1089)
> ==11853==    by 0x45F661: do_source (ex_cmds2.c:4377)
> ==11853==    by 0x46016B: cmd_source (ex_cmds2.c:3990)
> ==11853==    by 0x46B7B3: do_one_cmd (ex_docmd.c:2952)
> ==11853==    by 0x46B7B3: do_cmdline (ex_docmd.c:1089)
> ==11853==    by 0x5C6010: exe_commands (main.c:2968)
> ==11853==    by 0x5C6010: vim_main2 (main.c:805)
> ==11853==    by 0x40A088: main (main.c:419)
> ==11853==  Address 0x84cd540 is 0 bytes after a block of size 4,096 alloc'd
> ==11853==    at 0x4C2DB8F: malloc (in
> /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==11853==    by 0x4C6DD0: lalloc (misc2.c:942)
> ==11853==    by 0x5C4883: common_init (main.c:954)
> ==11853==    by 0x409A7B: main (main.c:177)
> (followed by more errors)
> 
> Attached patch fixes it.
> 
> I have not created a tests as I find this case too ugly.
> If we can reproduce the overflow with a cleaner case,
> then we can consider adding a test.

Makes sense.  Thanks for the fix!

-- 
ARTHUR: Go on, Bors, chop its head off.
BORS:   Right.  Silly little bleeder.  One rabbit stew coming up.
                 "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD

 /// Bram Moolenaar -- b...@moolenaar.net -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\  an exciting new programming language -- http://www.Zimbu.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Raspunde prin e-mail lui