Hi
Vim-7.4.711 accesses invalid memory with this command:
$ vim -E -u NONE -c 'call search(getline(.))' crash-2
... where crash-2 is the attached file (12 bytes).
Symptoms look similar to the bug fixed in Vim-7.4.704,
but it is a different bug with a different stack reported by
the address sanitizer:
=
==10373== ERROR: AddressSanitizer: heap-buffer-overflow on address
0x606200019d00 at pc 0xa4fb30 bp 0x7ffd45236850 sp 0x7ffd45236848
READ of size 1 at 0x606200019d00 thread T0
#0 0xa4fb2f in utf_ptr2char /home/pel/sb/vim/src/mbyte.c:1696
#1 0xc61f74 in nfa_regmatch /home/pel/sb/vim/src/regexp_nfa.c:6763
(discriminator 1)
#2 0xc685e5 in nfa_regtry /home/pel/sb/vim/src/regexp_nfa.c:6894
#3 0xc6be15 in nfa_regexec_both /home/pel/sb/vim/src/regexp_nfa.c:7085
#4 0xce5a76 in vim_regexec_multi /home/pel/sb/vim/src/regexp.c:8275
#5 0xd810dc in searchit /home/pel/sb/vim/src/search.c:639
#6 0x57770d in search_cmn /home/pel/sb/vim/src/eval.c:16361
#7 0x5e9eac in call_func /home/pel/sb/vim/src/eval.c:8760
#8 0x60cc74 in get_func_tv /home/pel/sb/vim/src/eval.c:8560
#9 0x62e8bc in ex_call /home/pel/sb/vim/src/eval.c:3505
#10 0x7112d5 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2940
#11 0x72368b in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
#12 0x423d33 in exe_commands /home/pel/sb/vim/src/main.c:2922
#13 0x7f093ad5bec4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287
#14 0x429a29 in _start ??:?
0x606200019d00 is located 0 bytes to the right of 4096-byte region
[0x606200018d00,0x606200019d00)
allocated by thread T0 here:
#0 0x7f093daed41a in malloc ??:?
#1 0x9e419c in lalloc /home/pel/sb/vim/src/misc2.c:926
#2 0x10e289e in mf_alloc_bhdr /home/pel/sb/vim/src/memfile.c:952
#3 0x8e12c4 in ml_new_data /home/pel/sb/vim/src/memline.c:3545
#4 0x46ff7a in open_buffer /home/pel/sb/vim/src/buffer.c:98
#5 0x422c15 in create_windows /home/pel/sb/vim/src/main.c:2692
#6 0x7f093ad5bec4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287
Shadow bytes around the buggy address:
0x0c0cbfffb350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0cbfffb360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0cbfffb370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0cbfffb380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0cbfffb390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=0x0c0cbfffb3a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0cbfffb3b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0cbfffb3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0cbfffb3d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0cbfffb3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c0cbfffb3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone:f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return:f5
Stack use after scope: f8
Global redzone:f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==10373== ABORTING
Attached patch fixes it. I hope that such bugs with
invalid utf8 are not too nitpicky.
Bug was found using the american fuzzy lop fuzzer:
http://lcamtuf.coredump.cx/afl/
Regards
Dominique
--
--
You received this message from the vim_dev maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
vim_dev group.
To unsubscribe from this group and stop receiving emails from it, send an email
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
crash-2
Description: Binary data
diff -r 3790fb70e04c src/regexp_nfa.c
--- a/src/regexp_nfa.c Tue Apr 21 19:10:49 2015 +0200
+++ b/src/regexp_nfa.c Wed Apr 22 04:55:19 2015 +0200
@@ -6602,7 +6602,7 @@
/* If ireg_icombine is not set only skip over the character
* itself. When it is set skip over composing characters. */
if (result enc_utf8 !ireg_icombine)
- clen = utf_char2len(curc);
+ clen = utf_ptr2len(reginput);
#endif
ADD_STATE_IF_MATCH(t-state);
break;