[vim/vim] :syn sync grouphere may go beyond end of line (PR #19896)

1 view
Skip to first unread message

zeertzjq

unread,
Apr 2, 2026, 10:04:45 PM (4 hours ago) Apr 2
to vim/vim, Subscribed

Problem: :syn sync grouphere may go beyond end of line.
Solution: Start searching for the end of region at the end of match
instead of a possibly invalid position.

You can view, comment on, or merge this pull request online at:

  https://github.com/vim/vim/pull/19896

Commit Summary

  • efec6a6 :syn sync grouphere may go beyond end of line

File Changes

(2 files)

Patch Links:


Reply to this email directly, view it on GitHub.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/19896@github.com>

zeertzjq

unread,
Apr 2, 2026, 10:06:03 PM (4 hours ago) Apr 2
to vim/vim, Subscribed
zeertzjq left a comment (vim/vim#19896)

Test triggers an ASAN failure without this fix:

=================================================================
==177683==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7b96fd29cc8b at pc 0x55c946cc76d3 bp 0x7fffde052f50 sp 0x7fffde052f40
READ of size 1 at 0x7b96fd29cc8b thread T0
    #0 0x55c946cc76d2 in vim_strchr **/src/strings.c:657
    #1 0x55c946a9bd92 in cstrchr **/src/regexp.c:1826
    #2 0x55c946b2d0b9 in skip_to_start **/src/regexp_nfa.c:5663
    #3 0x55c946b41bd0 in nfa_regexec_both **/src/regexp_nfa.c:7523
    #4 0x55c946b4390c in nfa_regexec_multi **/src/regexp_nfa.c:7776
    #5 0x55c946b45697 in vim_regexec_multi **/src/regexp.c:3219
    #6 0x55c946d010b3 in syn_regexec **/src/syntax.c:3167
    #7 0x55c946cfd34a in find_endpos **/src/syntax.c:2849
    #8 0x55c946cfba8d in update_si_end **/src/syntax.c:2683
    #9 0x55c946ce77bf in syn_sync **/src/syntax.c:825
    #10 0x55c946ce4ab1 in syntax_start **/src/syntax.c:449
    #11 0x55c946391a47 in win_line **/src/drawline.c:1352
    #12 0x55c9463dbe54 in win_update **/src/drawscreen.c:2554
    #13 0x55c9463bb890 in update_screen **/src/drawscreen.c:352
    #14 0x55c94657b1ca in redraw_cmd **/src/ex_docmd.c:8980
    #15 0x55c94657b0b4 in ex_redraw **/src/ex_docmd.c:8963
    #16 0x55c946536611 in do_one_cmd **/src/ex_docmd.c:2629
    #17 0x55c946529443 in do_cmdline **/src/ex_docmd.c:1041
    #18 0x55c946ea7807 in call_user_func **/src/userfunc.c:3312
    #19 0x55c946ea9751 in call_user_func_check **/src/userfunc.c:3485
    #20 0x55c946eaea07 in call_func **/src/userfunc.c:4158
    #21 0x55c946e9b37b in get_func_tv **/src/userfunc.c:2190
    #22 0x55c946ec5650 in ex_call_inner **/src/userfunc.c:6518
    #23 0x55c946ec87fd in ex_call **/src/userfunc.c:6876
    #24 0x55c946536611 in do_one_cmd **/src/ex_docmd.c:2629
    #25 0x55c946529443 in do_cmdline **/src/ex_docmd.c:1041
    #26 0x55c9464580ac in ex_execute **/src/eval.c:8006
    #27 0x55c946536611 in do_one_cmd **/src/ex_docmd.c:2629
    #28 0x55c946529443 in do_cmdline **/src/ex_docmd.c:1041
    #29 0x55c946ea7807 in call_user_func **/src/userfunc.c:3312
    #30 0x55c946ea9751 in call_user_func_check **/src/userfunc.c:3485
    #31 0x55c946eaea07 in call_func **/src/userfunc.c:4158
    #32 0x55c946e9b37b in get_func_tv **/src/userfunc.c:2190
    #33 0x55c946ec5650 in ex_call_inner **/src/userfunc.c:6518
    #34 0x55c946ec87fd in ex_call **/src/userfunc.c:6876
    #35 0x55c946536611 in do_one_cmd **/src/ex_docmd.c:2629
    #36 0x55c946529443 in do_cmdline **/src/ex_docmd.c:1041
    #37 0x55c946bacd06 in do_source_ext **/src/scriptfile.c:1940
    #38 0x55c946baebf4 in do_source **/src/scriptfile.c:2086
    #39 0x55c946ba918b in cmd_source **/src/scriptfile.c:1432
    #40 0x55c946ba9358 in ex_source **/src/scriptfile.c:1458
    #41 0x55c946536611 in do_one_cmd **/src/ex_docmd.c:2629
    #42 0x55c946529443 in do_cmdline **/src/ex_docmd.c:1041
    #43 0x55c946526fa3 in do_cmdline_cmd **/src/ex_docmd.c:635
    #44 0x55c947264b74 in exe_commands **/src/main.c:3303
    #45 0x55c9472556a6 in vim_main2 **/src/main.c:866
    #46 0x55c947254857 in main **/src/main.c:453
    #47 0x7f77016366c0  (/usr/lib/libc.so.6+0x276c0) (BuildId: 7a8d41a2df4fde040b4c6ac2832311ab645a1e41)
    #48 0x7f77016367f8 in __libc_start_main (/usr/lib/libc.so.6+0x277f8) (BuildId: 7a8d41a2df4fde040b4c6ac2832311ab645a1e41)
    #49 0x55c9461f4364 in _start (**/src/vim+0x15a2364) (BuildId: 277884f665f0beeb979699a4562a696bd42d240f)

0x7b96fd29cc8b is located 21 bytes after 6-byte region [0x7b96fd29cc70,0x7b96fd29cc76)
allocated by thread T0 here:
    #0 0x7f7703120cb5 in malloc (/usr/lib/libasan.so.8+0x120cb5) (BuildId: 0b96d08695bbce2da9d4770c29ad2e72fb536f47)
    #1 0x55c9461f4810 in lalloc **/src/alloc.c:246
    #2 0x55c9461f45e6 in alloc **/src/alloc.c:151
    #3 0x55c9467e37a7 in ml_get_buf **/src/memline.c:2859
    #4 0x55c946a97d0a in reg_getline_common **/src/regexp.c:1304
    #5 0x55c946a97e97 in reg_getline **/src/regexp.c:1317
    #6 0x55c946b41304 in nfa_regexec_both **/src/regexp_nfa.c:7461
    #7 0x55c946b4390c in nfa_regexec_multi **/src/regexp_nfa.c:7776
    #8 0x55c946b45697 in vim_regexec_multi **/src/regexp.c:3219
    #9 0x55c946d010b3 in syn_regexec **/src/syntax.c:3167
    #10 0x55c946cfd34a in find_endpos **/src/syntax.c:2849
    #11 0x55c946cfba8d in update_si_end **/src/syntax.c:2683
    #12 0x55c946ce77bf in syn_sync **/src/syntax.c:825
    #13 0x55c946ce4ab1 in syntax_start **/src/syntax.c:449
    #14 0x55c946391a47 in win_line **/src/drawline.c:1352
    #15 0x55c9463dbe54 in win_update **/src/drawscreen.c:2554
    #16 0x55c9463bb890 in update_screen **/src/drawscreen.c:352
    #17 0x55c94657b1ca in redraw_cmd **/src/ex_docmd.c:8980
    #18 0x55c94657b0b4 in ex_redraw **/src/ex_docmd.c:8963
    #19 0x55c946536611 in do_one_cmd **/src/ex_docmd.c:2629
    #20 0x55c946529443 in do_cmdline **/src/ex_docmd.c:1041
    #21 0x55c946ea7807 in call_user_func **/src/userfunc.c:3312
    #22 0x55c946ea9751 in call_user_func_check **/src/userfunc.c:3485
    #23 0x55c946eaea07 in call_func **/src/userfunc.c:4158
    #24 0x55c946e9b37b in get_func_tv **/src/userfunc.c:2190
    #25 0x55c946ec5650 in ex_call_inner **/src/userfunc.c:6518
    #26 0x55c946ec87fd in ex_call **/src/userfunc.c:6876
    #27 0x55c946536611 in do_one_cmd **/src/ex_docmd.c:2629
    #28 0x55c946529443 in do_cmdline **/src/ex_docmd.c:1041
    #29 0x55c9464580ac in ex_execute **/src/eval.c:8006

SUMMARY: AddressSanitizer: heap-buffer-overflow **/src/strings.c:657 in vim_strchr
Shadow bytes around the buggy address:
  0x7b96fd29ca00: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fa fa
  0x7b96fd29ca80: fa fa fa fa fa fa fa fa fa fa fd fa fa fa fa fa
  0x7b96fd29cb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7b96fd29cb80: fa fa fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7b96fd29cc00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 06 fa
=>0x7b96fd29cc80: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7b96fd29cd00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7b96fd29cd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7b96fd29ce00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7b96fd29ce80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7b96fd29cf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==177683==ABORTING


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you are subscribed to this thread.Message ID: <vim/vim/pull/19896/c4181392452@github.com>

Reply all
Reply to author
Forward
0 new messages