Marius Gedminas <[email protected]> wrote: > On Tue, Nov 24, 2015 at 05:11:02PM +0100, Bram Moolenaar wrote: > > Dominique wrote: > > > > > afl-fuzz fuzzer came up with the following command, > > > which causes access to uninitialized memory in > > > Vim-7-4-909: > > > > > > $ valgrind --track-origins=yes 2> valgrind.log \ > > > vim -u NONE -c 'syn keyword x nextgroup=\(\1\)' > > > > > > In valgrind.log: > > > > > > ==4366== Memcheck, a memory error detector > > > ==4366== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. > > > ==4366== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for > > > copyright info > > > ==4366== Command: ./vim -u NONE -c syn\ keyword\ x\ nextgroup=\\(\\1\\) > > > ==4366== > > > ==4366== Conditional jump or move depends on uninitialised value(s) > > > ==4366== at 0x55246B: match_backref (regexp_nfa.c:4882) > > > ==4366== by 0x555276: nfa_regmatch (regexp_nfa.c:6398) > > > ==4366== by 0x556214: nfa_regtry (regexp_nfa.c:6894) > > > ==4366== by 0x5569DF: nfa_regexec_both (regexp_nfa.c:7085) > > > ==4366== by 0x556D6A: nfa_regexec_nl (regexp_nfa.c:7247) > > > ==4366== by 0x55702D: vim_regexec_both (regexp.c:8179) > > > ==4366== by 0x5571BD: vim_regexec (regexp.c:8238) > > > ==4366== by 0x5A90B8: get_id_list (syntax.c:6027) > > > ==4366== by 0x5A5C2F: get_syn_options (syntax.c:4602) > > > ==4366== by 0x5A63C4: syn_cmd_keyword (syntax.c:4840) > > > ==4366== by 0x5A97B3: ex_syntax (syntax.c:6296) > > > ==4366== by 0x46E052: do_one_cmd (ex_docmd.c:2961) > > > ==4366== Uninitialised value was created by a heap allocation > > > ==4366== at 0x4C2AB80: malloc (in > > > /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) > > > ==4366== by 0x4E27E3: lalloc (misc2.c:921) > > > ==4366== by 0x5530D0: nfa_regmatch (regexp_nfa.c:5474) > > > ==4366== by 0x556214: nfa_regtry (regexp_nfa.c:6894) > > > ==4366== by 0x5569DF: nfa_regexec_both (regexp_nfa.c:7085) > > > ==4366== by 0x556D6A: nfa_regexec_nl (regexp_nfa.c:7247) > > > ==4366== by 0x55702D: vim_regexec_both (regexp.c:8179) > > > ==4366== by 0x5571BD: vim_regexec (regexp.c:8238) > > > ==4366== by 0x5A90B8: get_id_list (syntax.c:6027) > > > ==4366== by 0x5A5C2F: get_syn_options (syntax.c:4602) > > > ==4366== by 0x5A63C4: syn_cmd_keyword (syntax.c:4840) > > > ==4366== by 0x5A97B3: ex_syntax (syntax.c:6296) > > > > Is this fixed by patch 7.4.937, or is this another problem? > > I can reproduce this with vim 7.4.941, so it must be a different > problem. > > (Unsurprisingly, since \z(\) doesn't make an appearance.)
Replying to this old thread. I just tried to reproduce this with the latest Vim-8.1.177 and I cannot reproduce it anymore. Doing a git bissection, the issue was resolved in this commit more than a year ago: === commit 1ef9bbe215e13a273e74fccaddd8fc5a42c76b6e Author: Bram Moolenaar <[email protected]> Date: Sat Jun 17 20:08:20 2017 +0200 patch 8.0.0645: no error for illegal back reference in NFA engine Problem: The new regexp engine does not give an error for using a back reference where it is not allowed. (Dominique Pelle) Solution: Check the back reference like the old engine. (closes #1774) === So we can remove this item still in runtime/doc/todo.txt as in attached patch: === Access to uninitialized memory in match_backref() regexp_nda.c:4882 (Dominique Pelle, 2015 Nov 6) === Regards Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
diff --git a/runtime/doc/todo.txt b/runtime/doc/todo.txt index a39715799..8b82d555f 100644 --- a/runtime/doc/todo.txt +++ b/runtime/doc/todo.txt @@ -1018,9 +1018,6 @@ Added tests (James McCoy, 2016 Aug 3). Still needs more work. Feature request: add the "al" text object, to manipulate a screen line. Especially useful when using 'linebreak' -Access to uninitialized memory in match_backref() regexp_nda.c:4882 -(Dominique Pelle, 2015 Nov 6) - ":cd C:\Windows\System32\drivers\etc*" does not work, even though the directory exists. (Sergio Gallelli, 2013 Dec 29)
