Hi Vim-7.4.803 (and older) accesses invalid memory when doing:
$ vim -u NONE -c 'fun X(' Attached patch fixes it. Bug was found with afl-fuzz + asan. Here's asan's report: ================================================================= ==8351==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000014fb7 at pc 0x437a42 bp 0x7fff2eedb810 sp 0x7fff2eedb808 READ of size 1 at 0x602000014fb7 thread T0 #0 0x437a41 in skipwhite /home/pel/sb/vim/src/charset.c:1552 #1 0x4da110 in ex_function /home/pel/sb/vim/src/eval.c:22498 #2 0x52afb6 in do_one_cmd /home/pel/sb/vim/src/ex_docmd.c:2941 #3 0x523388 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1133 #4 0x521f6c in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:738 #5 0x9450df in exe_commands /home/pel/sb/vim/src/main.c:2926 #6 0x93e9b5 in main /home/pel/sb/vim/src/main.c:961 #7 0x7ff967b2cec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #8 0x40ea18 (/home/pel/sb/vim/src/vim+0x40ea18) 0x602000014fb7 is located 0 bytes to the right of 7-byte region [0x602000014fb0,0x602000014fb7) allocated by thread T0 here: #0 0x7ff96a8fd7df in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x547df) #1 0x664ca7 in lalloc /home/pel/sb/vim/src/misc2.c:921 #2 0x664a8b in alloc /home/pel/sb/vim/src/misc2.c:820 #3 0x665533 in vim_strsave /home/pel/sb/vim/src/misc2.c:1246 #4 0x522f35 in do_cmdline /home/pel/sb/vim/src/ex_docmd.c:1063 #5 0x521f6c in do_cmdline_cmd /home/pel/sb/vim/src/ex_docmd.c:738 #6 0x9450df in exe_commands /home/pel/sb/vim/src/main.c:2926 #7 0x93e9b5 in main /home/pel/sb/vim/src/main.c:961 #8 0x7ff967b2cec4 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/pel/sb/vim/src/charset.c:1552 skipwhite Shadow bytes around the buggy address: 0x0c047fffa9a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fffa9b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fffa9c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fffa9d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fffa9e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 05 =>0x0c047fffa9f0: fa fa 02 fa fa fa[07]fa fa fa 04 fa fa fa 00 00 0x0c047fffaa00: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fffaa10: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fd 0x0c047fffaa20: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fffaa30: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c047fffaa40: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==8351==ABORTING Regards Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
diff -r 893d1ea575c9 src/eval.c --- a/src/eval.c Tue Jul 28 21:17:37 2015 +0200 +++ b/src/eval.c Sat Aug 01 05:24:32 2015 +0200 @@ -22490,6 +22490,11 @@ break; } } + if (*p != ')') + { + EMSG2(_("E107: Missing parentheses: %s"), eap->arg); + goto erret; + } ++p; /* skip the ')' */ /* find extra arguments "range", "dict" and "abort" */