Distributor ID: Debian
Description: Debian GNU/Linux bookworm/sid
I checked against the master branch as of 09/25 at commitf109bf93c9402e4e3122a7ae7846e6feae4fa222 .
This AddressSanitizer output is indicating a OOB read that is semi-controllable, but is relative to the zero page, so this is mostly a CWE-476: NULL Pointer Dereference. LineOffset
can be NULL in the file vim/src/screen.c
at line 497 and will be accessed at the index of the variable row
. The variable Rows
limits the size of the variable row
. If there is a scenario that Rows
is controllable, this could be an arbitrary read from 0 to INTMAX. NOTE: My local vim is modified from this commit to not catch signals so that the faults propagate to aflplusplus. I can provide the diff if someone wants.
off_to = LineOffset[row] + coloff;
./vim -u NONE -i NONE -n -m -X -Z -e -s -S crash1 -c :qa!
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2281401==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x555555e69412 bp 0x000000000000 sp 0x7fffffff73e0 T0)
==2281401==The signal is caused by a READ memory access.
==2281401==Hint: address points to the zero page.
#0 0x555555e69412 in screen_line /path/vim/src/screen.c:497:14
#1 0x55555594568c in draw_screen_line /path/vim/src/drawline.c:956:5
#2 0x55555593ca56 in win_line /path/vim/src/drawline.c:3736:3
#3 0x55555594c24e in win_update /path/vim/src/drawscreen.c:2506:9
#4 0x55555595713a in updateWindow /path/vim/src/drawscreen.c:2930:5
#5 0x5555561db223 in gui_do_scroll /path/vim/src/gui.c:4491:2
#6 0x555555977e7d in ins_scroll /path/vim/src/edit.c:4510:9
#7 0x55555596acd2 in edit /path/vim/src/edit.c:1086:6
#8 0x555555ca49db in invoke_edit /path/vim/src/normal.c:7086:9
#9 0x555555ca49db in n_opencmd /path/vim/src/normal.c:6316:2
#10 0x555555ca49db in nv_open /path/vim/src/normal.c:7477:2
#11 0x555555c83c63 in normal_cmd /path/vim/src/normal.c:949:5
#12 0x555555a6b524 in exec_normal /path/vim/src/ex_docmd.c
#13 0x555555a6a877 in exec_normal_cmd /path/vim/src/ex_docmd.c:8875:5
#14 0x555555a6a877 in ex_normal /path/vim/src/ex_docmd.c:8793:6
#15 0x555555a42678 in do_one_cmd /path/vim/src/ex_docmd.c:2582:2
#16 0x555555a42678 in do_cmdline /path/vim/src/ex_docmd.c:994:17
#17 0x555555e9b79a in do_source_ext /path/vim/src/scriptfile.c:1762:5
#18 0x555555e9950b in do_source /path/vim/src/scriptfile.c:1908:12
#19 0x555555e9950b in cmd_source /path/vim/src/scriptfile.c:1253:14
#20 0x555555a42678 in do_one_cmd /path/vim/src/ex_docmd.c:2582:2
#21 0x555555a42678 in do_cmdline /path/vim/src/ex_docmd.c:994:17
#22 0x5555562f06d3 in exe_commands /path/vim/src/main.c:3177:2
#23 0x5555562f06d3 in vim_main2 /path/vim/src/main.c:790:2
#24 0x5555562ecda3 in main /path/vim/src/main.c:441:12
#25 0x7ffff6bde1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#26 0x7ffff6bde284 in __libc_start_main csu/../csu/libc-start.c:360:3
#27 0x555555772290 in _start (/path/vim/src/vim+0x21e290) (BuildId: 35c8e3fde8659b75419975e4d0d0f90f327b40e2)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /path/vim/src/screen.c:497:14 in screen_line
==2281401==ABORTING