7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
29.7%
Buffer Over-read in function utf_ptr2char at mbyte.c:1794
git log
commit 31d9948e3a2529c2f619d56bdb48291dc261233d (HEAD -> master, tag: v8.2.5026, origin/master, origin/HEAD)
./vim -u NONE -i NONE -n -m -X -Z -e -s -S /mnt/share/max/fuzz/poc/vim/poc_h10_n_s.dat -c :qa!
=================================================================
==3756371==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000013d00 at pc 0x000000a464c9 bp 0x7fffffff4d30 sp 0x7fffffff4d28
READ of size 1 at 0x621000013d00 thread T0
#0 0xa464c8 in utf_ptr2char /home/fuzz/fuzz/vim/vim/src/mbyte.c:1794:9
#1 0xaac9f3 in gchar_pos /home/fuzz/fuzz/vim/vim/src/misc1.c:523:9
#2 0x10a9485 in findsent /home/fuzz/fuzz/vim/vim/src/textobject.c:50:6
#3 0xa1b89e in getmark_buf_fnum /home/fuzz/fuzz/vim/vim/src/mark.c:354:6
#4 0xa1ae69 in getmark_buf /home/fuzz/fuzz/vim/vim/src/mark.c:287:12
#5 0xda6891 in nfa_regmatch /home/fuzz/fuzz/vim/vim/src/./regexp_nfa.c:6786:9
#6 0xd96fd0 in nfa_regtry /home/fuzz/fuzz/vim/vim/src/./regexp_nfa.c:7193:14
#7 0xd94cb7 in nfa_regexec_both /home/fuzz/fuzz/vim/vim/src/./regexp_nfa.c:7388:14
#8 0xcf6ed1 in nfa_regexec_multi /home/fuzz/fuzz/vim/vim/src/./regexp_nfa.c:7608:12
#9 0xcf3e72 in vim_regexec_multi /home/fuzz/fuzz/vim/vim/src/regexp.c:2866:14
#10 0x7af73f in ex_substitute /home/fuzz/fuzz/vim/vim/src/ex_cmds.c:4008:11
#11 0x7dc8e9 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2567:2
#12 0x7c96a5 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
#13 0xe5884c in do_source_ext /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1674:5
#14 0xe552a6 in do_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1801:12
#15 0xe54bdc in cmd_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1174:14
#16 0xe542be in ex_source /home/fuzz/fuzz/vim/vim/src/scriptfile.c:1200:2
#17 0x7dc8e9 in do_one_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:2567:2
#18 0x7c96a5 in do_cmdline /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:992:17
#19 0x7ce2f1 in do_cmdline_cmd /home/fuzz/fuzz/vim/vim/src/ex_docmd.c:586:12
#20 0x1424832 in exe_commands /home/fuzz/fuzz/vim/vim/src/main.c:3106:2
#21 0x14209cb in vim_main2 /home/fuzz/fuzz/vim/vim/src/main.c:780:2
#22 0x14160c5 in main /home/fuzz/fuzz/vim/vim/src/main.c:432:12
#23 0x7ffff7bec082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#24 0x41ea6d in _start (/home/fuzz/fuzz-vim/vim/src/vim+0x41ea6d)
0x621000013d00 is located 0 bytes to the right of 4096-byte region [0x621000012d00,0x621000013d00)
allocated by thread T0 here:
#0 0x499ccd in malloc (/home/fuzz/fuzz-vim/vim/src/vim+0x499ccd)
#1 0x4cb3aa in lalloc /home/fuzz/fuzz/vim/vim/src/alloc.c:246:11
#2 0x4cb28a in alloc /home/fuzz/fuzz/vim/vim/src/alloc.c:151:12
#3 0x142e2e5 in mf_alloc_bhdr /home/fuzz/fuzz/vim/vim/src/memfile.c:884:21
#4 0x142d0f7 in mf_new /home/fuzz/fuzz/vim/vim/src/memfile.c:375:26
#5 0xa620b8 in ml_new_data /home/fuzz/fuzz/vim/vim/src/memline.c:4080:15
#6 0xa60a61 in ml_open /home/fuzz/fuzz/vim/vim/src/memline.c:394:15
#7 0x50119a in open_buffer /home/fuzz/fuzz/vim/vim/src/buffer.c:186:9
#8 0x142207c in create_windows /home/fuzz/fuzz/vim/vim/src/main.c:2875:9
#9 0x142034a in vim_main2 /home/fuzz/fuzz/vim/vim/src/main.c:711:5
#10 0x14160c5 in main /home/fuzz/fuzz/vim/vim/src/main.c:432:12
#11 0x7ffff7bec082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/fuzz/fuzz/vim/vim/src/mbyte.c:1794:9 in utf_ptr2char
Shadow bytes around the buggy address:
0x0c427fffa750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffa760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffa770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffa780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffa790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffa7a0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3756371==ABORTING
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
29.7%