pkg/39375: seems to integer overflow in vim

[pilyavets%gmail.com@localhost]

>Number:         39375
>Category:       pkg
>Synopsis:       seems to integer overflow in vim
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    pkg-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Aug 18 10:50:00 +0000 2008
>Originator:     Oleg Pilyavets
>Release:        4.99.71
>Organization:
Lebedev Physical Institute
>Environment:
NetBSD user 4.99.71 NetBSD 4.99.71 (GENERIC) #0: Fri Aug  1 04:23:17 PDT 2008  
builds@wb25:/home/builds/ab/HEAD/i386/200808010002Z-obj/home/builds/ab/HEAD/src/sys/arch/i386/compile/GENERIC
 i386
>Description:
Simple operations with text using vim often bring him to state "out of memory" 
or others internal errors. vim is the latest one, installed form precompiled 
packages (vim-7.1.315), the same result can be obtained for package installed 
from pkgsrc system. Probably, this can be redefined up to an abitrary code 
execution if you ask sombody to edit specific file.

$ vim --version 
VIM - Vi IMproved 7.1 (2007 May 12, compiled Jun 24 2008 17:39:11)
Included patches: 1-315
Modified by martti%NetBSD.org@localhost
Compiled by bouyer%twist.lip6.fr@localhost
Normal version without GUI.  Features included (+) or not (-):
-arabic +autocmd -balloon_eval -browse -builtin_terms +byte_offset +cindent 
-clientserver -clipboard +cmdline_compl +cmdline_hist +cmdline_info +comments 
+cryptv -cscope +cursorshape +dialog_con +diff +digraphs -dnd -ebcdic 
-emacs_tags +eval +ex_extra +extra_search -farsi +file_in_path +find_in_path 
+folding -footer +fork() +gettext -hangul_input +iconv +insert_expand +jumplist
 -keymap -langmap +libcall +linebreak +lispindent +listcmds +localmap +menu 
+mksession +modify_fname +mouse -mouseshape -mouse_dec -mouse_gpm 
-mouse_jsbterm -mouse_netterm +mouse_xterm +multi_byte +multi_lang -mzscheme 
-netbeans_intg -osfiletype +path_extra -perl +postscript +printer -profile 
-python +quickfix +reltime -rightleft -ruby +scrollbind -signs +smartindent 
-sniff +statusline -sun_workshop +syntax +tag_binary +tag_old_static 
-tag_any_white -tcl -terminfo +termresponse +textobjects +title -toolbar 
+user_commands +vertsplit +virtualedit +visual +visualextra +viminfo +vreplace 
+wildignore +wildmenu +windows +writebackup -X11 -xfontset -xim -xsmp 
-xterm_clipboard -xterm_save 
   system vimrc file: "$VIM/vimrc"
     user vimrc file: "$HOME/.vimrc"
      user exrc file: "$HOME/.exrc"
  fall-back for $VIM: "/usr/pkg/share/vim"
Compilation: 
cc -c -I. -Iproto -DHAVE_CONFIG_H   -I/usr/include  -O2 -I/usr/include        
Linking: cc   -L/usr/lib -Wl,-R/usr/lib -Wl,-R/usr/pkg/lib -o vim       
-ltermcap -liconv -lintl 
>How-To-Repeat:
To demonstrate the problem you need just a file with only 4 symbols: 4 spaces:
$ cat file | hexdump -Cv
00000000  20 20 20 20 0a                                    |    .|
00000005

Set your pointer to 3rd space and type: ctrl+v $ c
This bring vim to an error:

E341: Internal error: lalloc(0, )
cannot yank; delete anyway (y/n)?

Another error can be demonstrated if you set a pointer to the 4th space (last 
character) and type the same sequence: ctrl+v $ c
This rise an error:

E342: Out of memory!  (allocating 4294967295 bytes)
cannot yank; delete anyway (y/n)?

Practically, this error encounter quite often if you mark a block and then try 
to replace it: 
ctrl+v arrow_down arrown_down .... arrow_down $ c


>Fix:
No known fix and even more strange as I was able to reveal this bug only for 
NetBSD system. Still now it is not clear for me if another BSDs/Linux affected.