Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fixed access to uninitialized memory in expand() #1464

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fixed access to uninitialized memory in expand() #1464

wants to merge 1 commit into from

Conversation

@dpelle
Copy link
Member

@dpelle dpelle commented Feb 11, 2017

This PR fixes access to uninitialized memory, along with
a test that accesses uninitialized memory prior to the fix.

Step to reproduce:

$ valgrind vim -c 'set isfname= | echo expand("~X") | q' 2> vg.log

And vg.log shows this error:

==10148== Memcheck, a memory error detector
==10148== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==10148== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==10148== Command: vim -c set\ isfname=\ |\ echo\ expand("~X")\ |\ q
==10148== 
==10148== Conditional jump or move depends on uninitialised value(s)
==10148==    at 0xBFC528A: _nss_compat_getpwnam_r (compat-pwd.c:859)
==10148==    by 0x71F5F3C: getpwnam_r@@GLIBC_2.2.5 (getXXbyYY_r.c:266)
==10148==    by 0x71F58DE: getpwnam (getXXbyYY.c:116)
==10148==    by 0x4DFFAD: expand_env_esc (misc1.c:4035)
==10148==    by 0x4EB8C2: expand_env_save_opt (misc1.c:3869)
==10148==    by 0x4EB8C2: gen_expand_wildcards (misc1.c:10843)
==10148==    by 0x4EB268: expand_wildcards (misc1.c:9630)
==10148==    by 0x4EB21F: expand_wildcards_eval (misc1.c:9601)
==10148==    by 0x49BFC9: ExpandFromContext (ex_getln.c:4755)
==10148==    by 0x498EC6: ExpandOne (ex_getln.c:3732)
==10148==    by 0x460C47: f_expand (evalfunc.c:3009)
==10148==    by 0x45DFD6: call_internal_func (evalfunc.c:979)
==10148==    by 0x5D5578: call_func (userfunc.c:1426)
==10148== 
==10148== Conditional jump or move depends on uninitialised value(s)
==10148==    at 0xBFC5292: _nss_compat_getpwnam_r (compat-pwd.c:859)
==10148==    by 0x71F5F3C: getpwnam_r@@GLIBC_2.2.5 (getXXbyYY_r.c:266)
==10148==    by 0x71F58DE: getpwnam (getXXbyYY.c:116)
==10148==    by 0x4DFFAD: expand_env_esc (misc1.c:4035)
==10148==    by 0x4EB8C2: expand_env_save_opt (misc1.c:3869)
==10148==    by 0x4EB8C2: gen_expand_wildcards (misc1.c:10843)
==10148==    by 0x4EB268: expand_wildcards (misc1.c:9630)
==10148==    by 0x4EB21F: expand_wildcards_eval (misc1.c:9601)
==10148==    by 0x49BFC9: ExpandFromContext (ex_getln.c:4755)
==10148==    by 0x498EC6: ExpandOne (ex_getln.c:3732)
==10148==    by 0x460C47: f_expand (evalfunc.c:3009)
==10148==    by 0x45DFD6: call_internal_func (evalfunc.c:979)
==10148==    by 0x5D5578: call_func (userfunc.c:1426)
==10148== 
==10148== Conditional jump or move depends on uninitialised value(s)
==10148==    at 0x4C2EA2C: strcmp (vg_replace_strmem.c:842)
==10148==    by 0xBFC5480: internal_getpwnam_r (compat-pwd.c:771)
==10148==    by 0xBFC5480: _nss_compat_getpwnam_r (compat-pwd.c:872)
==10148==    by 0x71F5F3C: getpwnam_r@@GLIBC_2.2.5 (getXXbyYY_r.c:266)
==10148==    by 0x71F58DE: getpwnam (getXXbyYY.c:116)
==10148==    by 0x4DFFAD: expand_env_esc (misc1.c:4035)
==10148==    by 0x4EB8C2: expand_env_save_opt (misc1.c:3869)
==10148==    by 0x4EB8C2: gen_expand_wildcards (misc1.c:10843)
==10148==    by 0x4EB268: expand_wildcards (misc1.c:9630)
==10148==    by 0x4EB21F: expand_wildcards_eval (misc1.c:9601)
==10148==    by 0x49BFC9: ExpandFromContext (ex_getln.c:4755)
==10148==    by 0x498EC6: ExpandOne (ex_getln.c:3732)
==10148==    by 0x460C47: f_expand (evalfunc.c:3009)
==10148==    by 0x45DFD6: call_internal_func (evalfunc.c:979)
==10148== 
==10148== Conditional jump or move depends on uninitialised value(s)
==10148==    at 0xBFC5483: internal_getpwnam_r (compat-pwd.c:771)
==10148==    by 0xBFC5483: _nss_compat_getpwnam_r (compat-pwd.c:872)
==10148==    by 0x71F5F3C: getpwnam_r@@GLIBC_2.2.5 (getXXbyYY_r.c:266)
==10148==    by 0x71F58DE: getpwnam (getXXbyYY.c:116)
==10148==    by 0x4DFFAD: expand_env_esc (misc1.c:4035)
==10148==    by 0x4EB8C2: expand_env_save_opt (misc1.c:3869)
==10148==    by 0x4EB8C2: gen_expand_wildcards (misc1.c:10843)
==10148==    by 0x4EB268: expand_wildcards (misc1.c:9630)
==10148==    by 0x4EB21F: expand_wildcards_eval (misc1.c:9601)
==10148==    by 0x49BFC9: ExpandFromContext (ex_getln.c:4755)
==10148==    by 0x498EC6: ExpandOne (ex_getln.c:3732)
==10148==    by 0x460C47: f_expand (evalfunc.c:3009)
==10148==    by 0x45DFD6: call_internal_func (evalfunc.c:979)
==10148==    by 0x5D5578: call_func (userfunc.c:1426)
{noformat}

Bug was discovered using afl-fuzz.

@brammool brammool closed this in 187a4f2 Feb 23, 2017
chrisbra pushed a commit to chrisbra/vim that referenced this pull request Mar 25, 2017
@brammool @chrisbra
patch 8.0.0355: using uninitialized memory when 'isfname' is empty
e1464fc 
Problem:    Using uninitialized memory when 'isfname' is empty.
Solution:   Don't call getpwnam() without an argument. (Dominique Pelle,
            closes vim#1464)
desvp pushed a commit to desvp/vim that referenced this pull request May 30, 2017
@brammool @desvp
patch 8.0.0355: using uninitialized memory when 'isfname' is empty
14b4603 
Problem:    Using uninitialized memory when 'isfname' is empty.
Solution:   Don't call getpwnam() without an argument. (Dominique Pelle,
            closes vim#1464)
janlazo added a commit to janlazo/neovim that referenced this pull request Jun 7, 2018
@janlazo
vim-patch:8.0.0355: using uninitialized memory when 'isfname' is empty
792ddb2 
Problem:    Using uninitialized memory when 'isfname' is empty.
Solution:   Don't call getpwnam() without an argument. (Dominique Pelle,
            closes vim/vim#1464)
vim/vim@187a4f2
@janlazo janlazo mentioned this pull request Jun 7, 2018
Merged
janlazo added a commit to janlazo/neovim that referenced this pull request Jun 7, 2018
@janlazo
vim-patch:8.0.0355: using uninitialized memory when 'isfname' is empty
8d90f58 
Problem:    Using uninitialized memory when 'isfname' is empty.
Solution:   Don't call getpwnam() without an argument. (Dominique Pelle,
            closes vim/vim#1464)
vim/vim@187a4f2
justinmk pushed a commit to neovim/neovim that referenced this pull request Jun 8, 2018
@janlazo @justinmk
vim-patch:8.0.0355: using uninitialized memory when 'isfname' is empty (
be68f21 
#8493)

Problem:    Using uninitialized memory when 'isfname' is empty.
Solution:   Don't call getpwnam() without an argument. (Dominique Pelle,
            closes vim/vim#1464)
vim/vim@187a4f2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dpelle