Re: [patch] fixed invalid memory access in regex_nfa.c with invalid utf8

[Bram Moolenaar]

Dominique wrote:

 Vim-7.4.711 accesses invalid memory with this command:
 
   $ vim -E -u NONE -c 'call search(getline(.))' crash-2
 
 ... where crash-2 is the attached file (12 bytes).
 
 Symptoms look similar to the bug fixed in Vim-7.4.704,
 but it is a different bug with a different stack reported by
 the address sanitizer:

[...]

 Attached patch fixes it.  I hope that such bugs with
 invalid utf8 are not too nitpicky.

Each one of these might cause a crash.

 Bug was found using the american fuzzy lop fuzzer:
   http://lcamtuf.coredump.cx/afl/

Thanks for the patch!

-- 
If your company is not involved in something called ISO 9000 you probably
have no idea what it is.  If your company _is_ involved in ISO 9000 then you
definitely have no idea what it is.
(Scott Adams - The Dilbert principle)

 /// Bram Moolenaar -- b...@moolenaar.net -- http://www.Moolenaar.net   \\\
///sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\  an exciting new programming language -- http://www.Zimbu.org///
 \\\help me help AIDS victims -- http://ICCF-Holland.org///

-- 
-- 
You received this message from the vim_dev maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
vim_dev group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[patch] fixed invalid memory access in regex_nfa.c with invalid utf8

[Dominique Pellé]

Hi

Vim-7.4.711 accesses invalid memory with this command:

  $ vim -E -u NONE -c 'call search(getline(.))' crash-2

... where crash-2 is the attached file (12 bytes).

Symptoms look similar to the bug fixed in Vim-7.4.704,
but it is a different bug with a different stack reported by
the address sanitizer:

=
==10373== ERROR: AddressSanitizer: heap-buffer-overflow on address
0x606200019d00 at pc 0xa4fb30 bp 0x7ffd45236850 sp 0x7ffd45236848
READ of size 1 at 0x606200019d00 thread T0
#0 0xa4fb2f in utf_ptr2char /home/pel/sb/vim/src/mbyte.c:1696
#1 0xc61f74 in nfa_regmatch /home/pel/sb/vim/src/regexp_nfa.c:6763
(discriminator 1)
#2 0xc685e5 in nfa_regtry /home/pel/sb/vim/src/regexp_nfa.c:6894
#3 0xc6be15 in nfa_regexec_both /home/pel/sb/vim/src/regexp_nfa.c:7085
#4 0xce5a76 in vim_regexec_multi /home/pel/sb/vim/src/regexp.c:8275
#5 0xd810dc in searchit /home/pel/sb/vim/src/search.c:639
#6 0x57770d in search_cmn /home/pel/sb/vim/src/eval.c:16361
#7 0x5e9eac in call_func /home/pel/sb/vim/src/eval.c:8760
#8 0x60cc74 in get_func_tv /home/pel/sb/vim/src/eval.c:8560
#9 0x62e8bc in ex_call /home/pel/sb/vim/src/eval.c:3505
#10 0x7112d5 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2940
#11 0x72368b in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
#12 0x423d33 in exe_commands /home/pel/sb/vim/src/main.c:2922
#13 0x7f093ad5bec4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287
#14 0x429a29 in _start ??:?
0x606200019d00 is located 0 bytes to the right of 4096-byte region
[0x606200018d00,0x606200019d00)
allocated by thread T0 here:
#0 0x7f093daed41a in malloc ??:?
#1 0x9e419c in lalloc /home/pel/sb/vim/src/misc2.c:926
#2 0x10e289e in mf_alloc_bhdr /home/pel/sb/vim/src/memfile.c:952
#3 0x8e12c4 in ml_new_data /home/pel/sb/vim/src/memline.c:3545
#4 0x46ff7a in open_buffer /home/pel/sb/vim/src/buffer.c:98
#5 0x422c15 in create_windows /home/pel/sb/vim/src/main.c:2692
#6 0x7f093ad5bec4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/libc-start.c:287
Shadow bytes around the buggy address:
  0x0c0cbfffb350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0cbfffb360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0cbfffb370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0cbfffb380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0cbfffb390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=0x0c0cbfffb3a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0cbfffb3b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0cbfffb3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0cbfffb3d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0cbfffb3e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0cbfffb3f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap righ redzone: fb
  Freed Heap region: fd
  Stack left redzone:f1
  Stack mid redzone: f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:f5
  Stack use after scope: f8
  Global redzone:f9
  Global init order: f6
  Poisoned by user:  f7
  ASan internal: fe
==10373== ABORTING

Attached patch fixes it.  I hope that such bugs with
invalid utf8 are not too nitpicky.

Bug was found using the american fuzzy lop fuzzer:
  http://lcamtuf.coredump.cx/afl/

Regards
Dominique

-- 
-- 
You received this message from the vim_dev maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
vim_dev group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


crash-2
Description: Binary data
diff -r 3790fb70e04c src/regexp_nfa.c
--- a/src/regexp_nfa.c	Tue Apr 21 19:10:49 2015 +0200
+++ b/src/regexp_nfa.c	Wed Apr 22 04:55:19 2015 +0200
@@ -6602,7 +6602,7 @@
 		/* If ireg_icombine is not set only skip over the character
 		 * itself.  When it is set skip over composing characters. */
 		if (result  enc_utf8  !ireg_icombine)
-		clen = utf_char2len(curc);
+		clen = utf_ptr2len(reginput);
 #endif
 		ADD_STATE_IF_MATCH(t-state);
 		break;