[patch] fixed illegal memory access with :syn sync linecont

[Dominique Pellé]

Hi

afl-fuzz found another case which causes an illegal
memory access in vim-7.4.1052 and older:

$ valgrind vim -u NONE -c 'syn sync linecont' -c q 2> vg.log

... and valgrind shows in vg.log:

==7473== Memcheck, a memory error detector
==7473== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==7473== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info
==7473== Command: vim -u NONE -c syn\ sync\ linecont -c q
==7473==
==7473== Invalid read of size 1
==7473==    at 0x535653: skip_regexp (regexp.c:1267)
==7473==    by 0x5A8EE4: syn_cmd_sync (syntax.c:5842)
==7473==    by 0x5A2109: ex_syntax (syntax.c:6299)
==7473==    by 0x46EBD4: do_one_cmd (ex_docmd.c:2962)
==7473==    by 0x46B8D3: do_cmdline (ex_docmd.c:1133)
==7473==    by 0x46AF1D: do_cmdline_cmd (ex_docmd.c:738)
==7473==    by 0x5D9958: exe_commands (main.c:2928)
==7473==    by 0x5D6F4D: main (main.c:962)
==7473==  Address 0x75fa312 is 0 bytes after a block of size 18 alloc'd
==7473==    at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7473==    by 0x4E3447: lalloc (misc2.c:921)
==7473==    by 0x4E3355: alloc (misc2.c:820)
==7473==    by 0x4E3522: vim_strsave (misc2.c:1243)
==7473==    by 0x46B6FD: do_cmdline (ex_docmd.c:1063)
==7473==    by 0x46AF1D: do_cmdline_cmd (ex_docmd.c:738)
==7473==    by 0x5D9958: exe_commands (main.c:2928)
==7473==    by 0x5D6F4D: main (main.c:962)
...more errors after that...

Attached patch fixes it.

Regards
Dominique

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

diff --git a/src/syntax.c b/src/syntax.c
index 937fbf1..badb226 100644
--- a/src/syntax.c
+++ b/src/syntax.c
@@ -5833,6 +5833,11 @@ syn_cmd_sync(eap, syncing)
 	}
 	else if (STRCMP(key, "LINECONT") == 0)
 	{
+	    if (*next_arg == NUL)	   /* missing pattern */
+	    {
+		illegal = TRUE;
+		break;
+	    }
 	    if (curwin->w_s->b_syn_linecont_pat != NULL)
 	    {
 		EMSG(_("E403: syntax sync: line continuations pattern specified twice"));