Hi
Vim-7.4.803 (and older) accesses invalid memory when doing:
$ vim -u NONE -c 'fun X('
Attached patch fixes it.
Bug was found with afl-fuzz + asan. Here's asan's report:
=================================================================
==8351==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000014fb7 at pc 0x437a42 bp 0x7fff2eedb810 sp 0x7fff2eedb808
READ of size 1 at 0x602000014fb7 thread T0
#0 0x437a41 in skipwhite /home/pel/sb/vim/src/charset.c:1552
#1 0x4da110 in ex_function /home/pel/sb/vim/src/eval.c:22498
#2 0x52afb6 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2941
#3 0x523388 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133
#4 0x521f6c in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:738
#5 0x9450df in exe_commands /home/pel/sb/vim/src/main.c:2926
#6 0x93e9b5 in main /home/pel/sb/vim/src/main.c:961
#7 0x7ff967b2cec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#8 0x40ea18 (/home/pel/sb/vim/src/vim+0x40ea18)
0x602000014fb7 is located 0 bytes to the right of 7-byte region
[0x602000014fb0,0x602000014fb7)
allocated by thread T0 here:
#0 0x7ff96a8fd7df in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547df)
#1 0x664ca7 in lalloc /home/pel/sb/vim/src/misc2.c:921
#2 0x664a8b in alloc /home/pel/sb/vim/src/misc2.c:820
#3 0x665533 in vim_strsave /home/pel/sb/vim/src/misc2.c:1246
#4 0x522f35 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1063
#5 0x521f6c in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:738
#6 0x9450df in exe_commands /home/pel/sb/vim/src/main.c:2926
#7 0x93e9b5 in main /home/pel/sb/vim/src/main.c:961
#8 0x7ff967b2cec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/pel/sb/vim/src/charset.c:1552 skipwhite
Shadow bytes around the buggy address:
0x0c047fffa9a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa9b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa9c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa9d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fffa9e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 05
=>0x0c047fffa9f0: fa fa 02 fa fa fa[07]fa fa fa 04 fa fa fa 00 00
0x0c047fffaa00: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fffaa10: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fd
0x0c047fffaa20: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fffaa30: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fffaa40: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==8351==ABORTING
Regards
Dominique
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
diff -r 893d1ea575c9 src/eval.c
--- a/src/eval.c Tue Jul 28 21:17:37 2015 +0200
+++ b/src/eval.c Sat Aug 01 05:24:32 2015 +0200
@@ -22490,6 +22490,11 @@
break;
}
}
+ if (*p != ')')
+ {
+ EMSG2(_("E107: Missing parentheses: %s"), eap->arg);
+ goto erret;
+ }
++p; /* skip the ')' */
/* find extra arguments "range", "dict" and "abort" */
