heap-buffer-overflow in vim_strrchr in vim/vim

Valid

Reported on

Mar 18th 2023


Description

heap based buffer overflow in vim_strrchr at strings.c:682

Vim Version

git log
commit ea83c194625e51c28a2796eba9ba87b0b9ab23e0 (HEAD -> master, tag: v9.0.1414, origin/master, origin/HEAD)

Proof of Concept

./vim -u NONE -i NONE -n -m -X -Z -e -s -S POC_vim_strrchr -c :qa!
=================================================================
==19071==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000038457 at pc 0x55616a3f8715 bp 0x7fffebf0b150 sp 0x7fffebf0b140
READ of size 1 at 0x602000038457 thread T0
    #0 0x55616a3f8714 in vim_strrchr /home/Fuzz/vim/src/strings.c:682
    #1 0x5561699fa12c in stuff_inserted /home/Fuzz/vim/src/edit.c:2915
    #2 0x556169a14200 in edit /home/Fuzz/vim/src/edit.c:904
    #3 0x556169fc4628 in op_change /home/Fuzz/vim/src/ops.c:1782
    #4 0x556169fd1fff in do_pending_operator /home/Fuzz/vim/src/ops.c:4131
    #5 0x556169f7efe5 in normal_cmd /home/Fuzz/vim/src/normal.c:961
    #6 0x556169bbd1b2 in exec_normal /home/Fuzz/vim/src/ex_docmd.c:8895
    #7 0x556169bbdb71 in exec_normal_cmd /home/Fuzz/vim/src/ex_docmd.c:8858
    #8 0x556169bbdb71 in ex_normal /home/Fuzz/vim/src/ex_docmd.c:8776
    #9 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #10 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #11 0x55616a61ba1c in call_user_func /home/Fuzz/vim/src/userfunc.c:3048
    #12 0x55616a61eabe in call_user_func_check /home/Fuzz/vim/src/userfunc.c:3220
    #13 0x55616a6211a7 in call_func /home/Fuzz/vim/src/userfunc.c:3782
    #14 0x55616a623813 in get_func_tv /home/Fuzz/vim/src/userfunc.c:1935
    #15 0x556169a2b611 in eval_func /home/Fuzz/vim/src/eval.c:2376
    #16 0x556169a5941f in eval9 /home/Fuzz/vim/src/eval.c:4280
    #17 0x556169a5c043 in eval8 /home/Fuzz/vim/src/eval.c:3840
    #18 0x556169a5ce38 in eval7 /home/Fuzz/vim/src/eval.c:3644
    #19 0x556169a5eb15 in eval6 /home/Fuzz/vim/src/eval.c:3423
    #20 0x556169a61ceb in eval5 /home/Fuzz/vim/src/eval.c:3312
    #21 0x556169a631c7 in eval4 /home/Fuzz/vim/src/eval.c:3163
    #22 0x556169a64619 in eval3 /home/Fuzz/vim/src/eval.c:3024
    #23 0x556169a662d5 in eval2 /home/Fuzz/vim/src/eval.c:2898
    #24 0x556169a662d5 in eval1 /home/Fuzz/vim/src/eval.c:2744
    #25 0x556169a6de54 in eval0_retarg /home/Fuzz/vim/src/eval.c:2655
    #26 0x556169a72941 in eval0 /home/Fuzz/vim/src/eval.c:2589
    #27 0x556169a72941 in eval_to_string_eap /home/Fuzz/vim/src/eval.c:629
    #28 0x55616a241a22 in get_expr_line /home/Fuzz/vim/src/register.c:154
    #29 0x55616a2472f4 in get_spec_reg /home/Fuzz/vim/src/register.c:876
    #30 0x55616a254c1e in insert_reg /home/Fuzz/vim/src/register.c:810
    #31 0x556169a15166 in ins_reg /home/Fuzz/vim/src/edit.c:3447
    #32 0x556169a15166 in edit /home/Fuzz/vim/src/edit.c:911
    #33 0x556169fc4628 in op_change /home/Fuzz/vim/src/ops.c:1782
    #34 0x556169fd1fff in do_pending_operator /home/Fuzz/vim/src/ops.c:4131
    #35 0x556169f7efe5 in normal_cmd /home/Fuzz/vim/src/normal.c:961
    #36 0x55616a909730 in main_loop /home/Fuzz/vim/src/main.c:1535
    #37 0x556169c2228b in open_cmdwin /home/Fuzz/vim/src/ex_getln.c:4549
    #38 0x556169c2228b in getcmdline_int /home/Fuzz/vim/src/ex_getln.c:1938
    #39 0x556169bc7b74 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:876
    #40 0x556169f5298f in nv_colon /home/Fuzz/vim/src/normal.c:3178
    #41 0x556169f7d82a in normal_cmd /home/Fuzz/vim/src/normal.c:939
    #42 0x556169bbd1b2 in exec_normal /home/Fuzz/vim/src/ex_docmd.c:8895
    #43 0x556169bbdb71 in exec_normal_cmd /home/Fuzz/vim/src/ex_docmd.c:8858
    #44 0x556169bbdb71 in ex_normal /home/Fuzz/vim/src/ex_docmd.c:8776
    #45 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #46 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #47 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #48 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #49 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #50 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #51 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #52 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #53 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #54 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #55 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #56 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #57 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #58 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #59 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #60 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #61 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #62 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #63 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #64 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #65 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #66 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #67 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #68 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #69 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #70 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #71 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #72 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #73 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #74 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #75 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #76 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #77 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #78 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #79 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #80 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #81 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #82 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #83 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #84 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #85 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #86 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #87 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #88 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #89 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #90 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #91 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #92 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #93 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #94 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #95 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #96 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #97 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #98 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #99 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #100 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #101 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #102 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #103 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #104 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #105 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #106 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #107 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #108 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #109 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #110 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #111 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #112 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #113 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #114 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #115 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #116 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #117 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #118 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #119 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #120 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #121 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #122 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #123 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #124 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #125 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #126 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #127 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #128 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #129 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #130 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #131 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #132 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #133 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #134 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #135 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #136 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #137 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #138 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #139 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #140 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #141 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #142 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #143 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #144 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #145 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #146 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #147 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #148 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #149 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #150 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #151 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #152 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #153 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #154 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #155 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #156 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #157 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #158 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #159 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #160 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #161 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #162 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #163 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #164 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #165 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #166 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #167 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #168 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #169 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #170 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #171 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #172 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #173 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #174 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #175 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #176 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #177 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #178 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #179 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #180 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #181 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #182 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #183 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #184 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #185 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #186 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #187 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #188 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #189 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #190 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #191 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #192 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #193 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #194 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #195 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #196 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #197 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #198 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #199 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #200 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #201 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #202 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #203 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #204 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #205 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #206 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #207 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #208 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #209 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #210 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #211 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #212 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #213 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #214 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #215 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #216 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #217 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #218 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #219 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #220 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #221 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #222 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #223 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #224 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #225 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #226 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #227 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #228 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #229 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #230 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #231 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #232 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #233 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #234 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #235 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #236 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #237 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #238 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #239 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #240 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #241 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #242 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #243 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #244 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #245 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #246 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #247 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #248 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #249 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #250 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #251 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #252 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #253 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #254 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #255 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #256 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #257 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #258 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #259 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #260 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #261 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #262 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #263 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #264 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #265 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #266 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #267 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #268 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #269 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #270 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #271 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #272 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #273 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #274 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #275 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #276 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #277 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #278 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #279 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #280 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #281 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #282 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #283 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #284 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #285 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #286 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #287 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #288 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #289 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #290 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #291 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #292 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #293 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #294 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #295 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #296 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #297 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #298 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #299 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #300 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #301 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #302 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #303 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #304 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #305 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #306 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #307 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #308 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #309 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #310 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #311 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #312 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #313 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #314 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #315 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #316 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #317 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #318 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #319 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #320 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #321 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #322 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #323 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759
    #324 0x55616a2b4d2b in cmd_source /home/Fuzz/vim/src/scriptfile.c:1233
    #325 0x556169bd6c91 in do_one_cmd /home/Fuzz/vim/src/ex_docmd.c:2580
    #326 0x556169bd6c91 in do_cmdline /home/Fuzz/vim/src/ex_docmd.c:993
    #327 0x55616a2ae165 in do_source_ext /home/Fuzz/vim/src/scriptfile.c:1759

0x602000038457 is located 3 bytes to the right of 4-byte region [0x602000038450,0x602000038454)
allocated by thread T0 here:
    #0 0x7f8c674b4867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x55616981268a in lalloc /home/Fuzz/vim/src/alloc.c:246

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/Fuzz/vim/src/strings.c:682 in vim_strrchr
Shadow bytes around the buggy address:
  0x0c047ffff030: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047ffff040: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047ffff050: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047ffff060: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047ffff070: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
=>0x0c047ffff080: fa fa 00 03 fa fa 00 00 fa fa[04]fa fa fa fd fa
  0x0c047ffff090: fa fa 00 04 fa fa 01 fa fa fa 01 fa fa fa 01 fa
  0x0c047ffff0a0: fa fa 01 fa fa fa 07 fa fa fa 03 fa fa fa 00 06
  0x0c047ffff0b0: fa fa 00 04 fa fa 01 fa fa fa 01 fa fa fa 01 fa
  0x0c047ffff0c0: fa fa 03 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
  0x0c047ffff0d0: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==19071==ABORTING

Impact

This vulnerability is capable of crashing software, modify memory, and possible remote execution.

References

We are processing your report and will contact the vim team within 24 hours. a year ago
We have contacted a member of the vim team and are waiting to hear back a year ago
Bram Moolenaar validated this vulnerability a year ago

I can reproduce it. Unfortunately the POC is too complex to pinpoint the problem, it recursively sources itself. Can't use it for a regression test this way. Also not sure how to solve the problem

hikari446 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bram Moolenaar
a year ago

I have fixed the problem in patch 9.0.1429. However, I'm not marking this issue as fixed, since I don't have a regression test.

hikari446
a year ago

Researcher


How can I help in producing the regression test?

Christian Brabandt marked this as fixed in 9.0.1429 with commit 1a08a3 6 months ago
The fix bounty has been dropped
This vulnerability has now been published 6 months ago
to join this conversation