Buffer Over-read in function current_quote in vim/vim

Valid

Reported on

Jun 16th 2022


Description

Buffer Over-read in function current_quote at textobject.c:1801

vim version

git log
commit 83497f875881973df772cc4cc593766345df6c4a (HEAD -> master, tag: v8.2.5105, origin/master, origin/HEAD)

POC

root@fuzz-vm0-187:/home/fuzz/fuzz/vim/afl/src# ./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poc_bor1_s.dat -c :qa!
=================================================================
==26523==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000013d00 at pc 0x0000010c16ed bp 0x7ffef393a8f0 sp 0x7ffef393a8e8
READ of size 1 at 0x621000013d00 thread T0
    #0 0x10c16ec in current_quote /home/fuzz/fuzz/vim/afl/src/textobject.c:1801:10
    #1 0xb69bc7 in nv_object /home/fuzz/fuzz/vim/afl/src/normal.c:7105:10
    #2 0xb4b671 in nv_edit /home/fuzz/fuzz/vim/afl/src/normal.c:6884:2
    #3 0xb1f59f in normal_cmd /home/fuzz/fuzz/vim/afl/src/normal.c:939:5
    #4 0x814eee in exec_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8808:6
    #5 0x814718 in exec_normal_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8771:5
    #6 0x8142c9 in ex_normal /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:8689:6
    #7 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #8 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #9 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #10 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #11 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #12 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #13 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #14 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #15 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #16 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #17 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #18 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #19 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #20 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #21 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #22 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #23 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #24 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #25 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #26 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #27 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #28 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #29 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #30 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #31 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #32 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #33 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #34 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #35 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #36 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #37 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #38 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #39 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #40 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #41 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #42 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #43 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #44 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #45 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #46 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #47 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #48 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #49 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #50 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #51 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #52 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #53 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #54 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #55 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #56 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #57 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #58 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #59 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #60 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #61 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #62 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #63 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #64 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #65 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #66 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #67 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #68 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #69 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #70 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #71 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #72 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #73 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #74 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #75 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #76 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #77 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #78 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #79 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #80 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #81 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #82 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #83 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #84 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #85 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #86 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #87 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #88 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #89 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #90 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #91 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #92 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #93 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #94 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #95 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #96 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #97 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #98 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #99 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #100 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #101 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #102 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #103 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #104 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #105 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #106 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #107 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #108 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #109 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #110 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #111 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #112 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #113 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #114 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #115 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #116 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #117 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #118 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #119 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #120 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #121 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #122 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #123 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #124 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #125 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #126 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #127 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #128 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #129 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #130 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #131 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #132 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #133 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #134 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #135 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #136 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #137 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #138 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #139 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #140 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #141 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #142 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #143 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #144 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #145 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #146 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #147 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #148 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #149 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #150 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #151 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #152 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #153 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #154 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #155 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #156 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #157 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #158 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #159 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #160 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #161 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #162 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #163 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #164 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #165 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #166 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #167 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #168 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #169 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #170 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #171 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #172 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #173 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #174 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #175 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #176 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #177 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #178 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #179 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #180 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #181 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #182 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #183 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #184 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #185 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #186 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #187 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #188 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #189 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #190 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #191 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #192 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #193 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #194 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #195 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #196 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #197 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #198 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #199 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #200 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #201 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #202 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #203 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #204 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #205 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #206 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #207 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #208 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #209 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #210 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #211 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #212 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #213 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #214 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #215 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #216 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #217 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #218 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #219 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #220 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #221 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #222 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #223 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #224 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #225 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #226 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #227 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #228 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #229 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #230 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #231 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #232 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #233 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #234 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #235 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #236 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #237 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #238 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #239 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #240 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #241 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #242 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11
    #243 0x114bdb3 in get_func_tv /home/fuzz/fuzz/vim/afl/src/userfunc.c:1833:8
    #244 0x117f4da in ex_call /home/fuzz/fuzz/vim/afl/src/userfunc.c:5593:6
    #245 0x7dd249 in do_one_cmd /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:2570:2
    #246 0x7ca105 in do_cmdline /home/fuzz/fuzz/vim/afl/src/ex_docmd.c:992:17
    #247 0x115857c in call_user_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:2900:2
    #248 0x115466d in call_user_func_check /home/fuzz/fuzz/vim/afl/src/userfunc.c:3048:2
    #249 0x114ea14 in call_func /home/fuzz/fuzz/vim/afl/src/userfunc.c:3612:11

0x621000013d00 is located 0 bytes to the right of 4096-byte region [0x621000012d00,0x621000013d00)
allocated by thread T0 here:
    #0 0x499cad in malloc (/home/fuzz/fuzz/vim/afl/src/vim+0x499cad)
    #1 0x4cb382 in lalloc /home/fuzz/fuzz/vim/afl/src/alloc.c:246:11
    #2 0x4cb26a in alloc /home/fuzz/fuzz/vim/afl/src/alloc.c:151:12
    #3 0x142bfb5 in mf_alloc_bhdr /home/fuzz/fuzz/vim/afl/src/memfile.c:884:21
    #4 0x142adc7 in mf_new /home/fuzz/fuzz/vim/afl/src/memfile.c:375:26
    #5 0xa60d28 in ml_new_data /home/fuzz/fuzz/vim/afl/src/memline.c:4080:15
    #6 0xa5f6d1 in ml_open /home/fuzz/fuzz/vim/afl/src/memline.c:394:15
    #7 0x501c8a in open_buffer /home/fuzz/fuzz/vim/afl/src/buffer.c:186:9
    #8 0x141ff4c in create_windows /home/fuzz/fuzz/vim/afl/src/main.c:2902:9
    #9 0x141e21a in vim_main2 /home/fuzz/fuzz/vim/afl/src/main.c:711:5
    #10 0x1413dad in main /home/fuzz/fuzz/vim/afl/src/main.c:432:12
    #11 0x7f90cedd6082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/fuzz/vim/afl/src/textobject.c:1801:10 in current_quote
Shadow bytes around the buggy address:
  0x0c427fffa750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffa7a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==26523==ABORTING

poc_bor1_s.dat

Impact

This vulnerabilities are capable of crashing software, modify Memory, and possible remote execution

We are processing your report and will contact the vim team within 24 hours. 2 years ago
We have contacted a member of the vim team and are waiting to hear back 2 years ago
Bram Moolenaar validated this vulnerability 2 years ago

I can reproduce it. The POC is not usable as a regression test though, because it uses infinite recursion.

jieyongma has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Bram Moolenaar
2 years ago

Fixed in patch 8.2.5120

Bram Moolenaar marked this as fixed in 8.2 with commit 2f074f 2 years ago
Bram Moolenaar has been awarded the fix bounty
to join this conversation