subject:"\\\[bug\\\] read heap overflow in do_pending

Re: [bug] read heap overflow in do_pending_operator()

2016-09-08 Fir de Conversatie Dominique Pellé

Dominique Pellé wrote:

> Hi
>
> Here is one more bug found by afl-fuzz in vim-7.4.2330
> an older:
>
> $ cat bug.vim
> new
> call append(0, [" a", "b"])
> norm kVdggViw
> bw!
> %d
>
> $ valgrind --num-callers=20 vim -u NONE -S bug.vim -c q 2> log
>
> $ cat log
> ==7787== Memcheck, a memory error detector
> ==7787== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
> ==7787== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright 
> info
> ==7787== Command: vim -u NONE -S bug.vim -c q
> ==7787==
> ==7787== Invalid read of size 1
> ==7787==at 0x4D881C: do_pending_operator (normal.c:1700)
> ==7787==by 0x4E39F8: clip_get_selection (ops.c:6428)
> ==7787==by 0x59F800: clip_copy_selection (ui.c:544)
> ==7787==by 0x59F7A3: clip_auto_select (ui.c:614)
> ==7787==by 0x4D7E06: end_visual_mode (normal.c:3281)
> ==7787==by 0x465A6E: ex_operators (ex_docmd.c:9243)
> ==7787==by 0x45EC77: do_one_cmd (ex_docmd.c:2962)
> ==7787==by 0x45A9F2: do_cmdline (ex_docmd.c:1110)
> ==7787==by 0x458ADC: do_source (ex_cmds2.c:4097)
> ==7787==by 0x4582D3: cmd_source (ex_cmds2.c:3710)
> ==7787==by 0x45EC77: do_one_cmd (ex_docmd.c:2962)
> ==7787==by 0x45A9F2: do_cmdline (ex_docmd.c:1110)
> ==7787==by 0x5CEEEC: exe_commands (main.c:2896)
> ==7787==by 0x5CEEEC: vim_main2 (main.c:781)
> ==7787==by 0x5CD91C: main (main.c:415)
> ==7787==  Address 0x76b0b80 is 0 bytes after a block of size 4,096 alloc'd
> ==7787==at 0x4C2ABF5: malloc (vg_replace_malloc.c:299)
> ==7787==by 0x4C81D7: lalloc (misc2.c:942)
> ==7787==by 0x5D127E: mf_alloc_bhdr (memfile.c:907)
> ==7787==by 0x5D127E: mf_new (memfile.c:381)
> ==7787==by 0x4AC6F1: ml_new_data (memline.c:3513)
> ==7787==by 0x4AC6F1: ml_open (memline.c:400)
> ==7787==by 0x406373: open_buffer (buffer.c:160)
> ==7787==by 0x5CEA44: create_windows (main.c:2668)
> ==7787==by 0x5CEA44: vim_main2 (main.c:704)
> ==7787==by 0x5CD91C: main (main.c:415)
>
> Regards
> Dominique


Patch 7.4.2347 fixed this bug.  Good.
Bug was still happening up to patch 7.4.2346.

Thanks!
Dominique

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[bug] read heap overflow in do_pending_operator()

2016-09-05 Fir de Conversatie Dominique Pellé

Hi

Here is one more bug found by afl-fuzz in vim-7.4.2330
an older:

$ cat bug.vim
new
call append(0, [" a", "b"])
norm kVdggViw
bw!
%d

$ valgrind --num-callers=20 vim -u NONE -S bug.vim -c q 2> log

$ cat log
==7787== Memcheck, a memory error detector
==7787== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==7787== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==7787== Command: vim -u NONE -S bug.vim -c q
==7787==
==7787== Invalid read of size 1
==7787==at 0x4D881C: do_pending_operator (normal.c:1700)
==7787==by 0x4E39F8: clip_get_selection (ops.c:6428)
==7787==by 0x59F800: clip_copy_selection (ui.c:544)
==7787==by 0x59F7A3: clip_auto_select (ui.c:614)
==7787==by 0x4D7E06: end_visual_mode (normal.c:3281)
==7787==by 0x465A6E: ex_operators (ex_docmd.c:9243)
==7787==by 0x45EC77: do_one_cmd (ex_docmd.c:2962)
==7787==by 0x45A9F2: do_cmdline (ex_docmd.c:1110)
==7787==by 0x458ADC: do_source (ex_cmds2.c:4097)
==7787==by 0x4582D3: cmd_source (ex_cmds2.c:3710)
==7787==by 0x45EC77: do_one_cmd (ex_docmd.c:2962)
==7787==by 0x45A9F2: do_cmdline (ex_docmd.c:1110)
==7787==by 0x5CEEEC: exe_commands (main.c:2896)
==7787==by 0x5CEEEC: vim_main2 (main.c:781)
==7787==by 0x5CD91C: main (main.c:415)
==7787==  Address 0x76b0b80 is 0 bytes after a block of size 4,096 alloc'd
==7787==at 0x4C2ABF5: malloc (vg_replace_malloc.c:299)
==7787==by 0x4C81D7: lalloc (misc2.c:942)
==7787==by 0x5D127E: mf_alloc_bhdr (memfile.c:907)
==7787==by 0x5D127E: mf_new (memfile.c:381)
==7787==by 0x4AC6F1: ml_new_data (memline.c:3513)
==7787==by 0x4AC6F1: ml_open (memline.c:400)
==7787==by 0x406373: open_buffer (buffer.c:160)
==7787==by 0x5CEA44: create_windows (main.c:2668)
==7787==by 0x5CEA44: vim_main2 (main.c:704)
==7787==by 0x5CD91C: main (main.c:415)

Regards
Dominique

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


bug.vim
Description: Binary data

Re: [bug] read heap overflow in do_pending_operator()

[bug] read heap overflow in do_pending_operator()

2 matches

Site Navigation

Mail list logo

Footer information