Hi, ed can be crashed with some malformed commands: echo -e "H\n?\{" | ed
The bug seems to be a call of free on a nonallocated pointer. The bug was found with the fuzzing tool american fuzzy lop in ed 1.14. Here's a stack trace from address sanitizer: ==29974==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x0000013cc6c0 in thread T0 #0 0x4c9bd0 in __interceptor_cfree.localalias.1 (/r/ed/ed+0x4c9bd0) #1 0x51a01c in get_compiled_regex /f/ed/ed-1.14/regex.c:138:5 #2 0x51a666 in next_matching_node_addr /f/ed/ed-1.14/regex.c:193:31 #3 0x516f94 in extract_addresses /f/ed/ed-1.14/main_loop.c:224:31 #4 0x511db0 in exec_command /f/ed/ed-1.14/main_loop.c:424:24 #5 0x51162e in main_loop /f/ed/ed-1.14/main_loop.c:721:19 #6 0x5108b9 in main /f/ed/ed-1.14/main.c:197:10 #7 0x7f93e58fd78f in __libc_start_main (/lib64/libc.so.6+0x2078f) #8 0x419c28 in _start (/r/ed/ed+0x419c28) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: bad-free (/r/ed/ed+0x4c9bd0) in __interceptor_cfree.localalias.1 ==29974==ABORTING -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ bug-ed mailing list bug-ed@gnu.org https://lists.gnu.org/mailman/listinfo/bug-ed