Dominique wrote:
> afl-fuzz found this case which causes use of
> free memory in vim-8.0563 and older:
>
> $ cat bug.vim
> set efm=E,%W%m,
> cgetexpr ['C']
> set efm=%C%m
> lexpr '0'
> lopen
> call setqflist([], 'r')
> caddbuf
>
> $valgrind vim -u NONE -N -S bug.vim 2> vg.log
>
> And vg.log contains:
>
> ==21721== Memcheck, a memory error detector
> ==21721== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
> ==21721== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright
> info
> ==21721== Command: vim -u NONE -N -S bug.vim
> ==21721==
> ==21721== Invalid read of size 8
> ==21721== at 0x507F0E: qf_parse_line (quickfix.c:1053)
> ==21721== by 0x507F0E: qf_init_ext (quickfix.c:1258)
> ==21721== by 0x50DFDB: ex_cbuffer (quickfix.c:5046)
> ==21721== by 0x45D124: do_one_cmd (ex_docmd.c:3021)
> ==21721== by 0x45941D: do_cmdline (ex_docmd.c:1160)
> ==21721== by 0x4573B9: do_source (ex_cmds2.c:4313)
> ==21721== by 0x456BF8: cmd_source (ex_cmds2.c:3926)
> ==21721== by 0x456BF8: ex_source (ex_cmds2.c:3901)
> ==21721== by 0x45D124: do_one_cmd (ex_docmd.c:3021)
> ==21721== by 0x45941D: do_cmdline (ex_docmd.c:1160)
> ==21721== by 0x5D34EC: exe_commands (main.c:2923)
> ==21721== by 0x5D34EC: vim_main2 (main.c:790)
> ==21721== by 0x5D1E09: main (main.c:419)
> ==21721== Address 0x76d23a0 is 48 bytes inside a block of size 64 free'd
> ==21721== at 0x4C2BCEF: free (vg_replace_malloc.c:530)
> ==21721== by 0x5083C1: qf_free (quickfix.c:2740)
> ==21721== by 0x50DC8B: qf_add_entries (quickfix.c:4733)
> ==21721== by 0x50DC8B: set_errorlist (quickfix.c:4965)
> ==21721== by 0x4445EB: set_qf_ll_list (evalfunc.c:10083)
> ==21721== by 0x435896: call_internal_func (evalfunc.c:991)
> ==21721== by 0x5AC4D5: call_func (userfunc.c:1446)
> ==21721== by 0x5AC029: get_func_tv (userfunc.c:455)
> ==21721== by 0x5B0506: ex_call (userfunc.c:3062)
> ==21721== by 0x45D124: do_one_cmd (ex_docmd.c:3021)
> ==21721== by 0x45941D: do_cmdline (ex_docmd.c:1160)
> ==21721== by 0x4573B9: do_source (ex_cmds2.c:4313)
> ==21721== by 0x456BF8: cmd_source (ex_cmds2.c:3926)
> ==21721== by 0x456BF8: ex_source (ex_cmds2.c:3901)
> ==21721== Block was alloc'd at
> ==21721== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299)
> ==21721== by 0x4C69F7: lalloc (misc2.c:942)
> ==21721== by 0x508766: qf_add_entry (quickfix.c:1444)
> ==21721== by 0x507E59: qf_init_ext (quickfix.c:1267)
> ==21721== by 0x50E229: ex_cexpr (quickfix.c:5115)
> ==21721== by 0x45D124: do_one_cmd (ex_docmd.c:3021)
> ==21721== by 0x45941D: do_cmdline (ex_docmd.c:1160)
> ==21721== by 0x4573B9: do_source (ex_cmds2.c:4313)
> ==21721== by 0x456BF8: cmd_source (ex_cmds2.c:3926)
> ==21721== by 0x456BF8: ex_source (ex_cmds2.c:3901)
> ==21721== by 0x45D124: do_one_cmd (ex_docmd.c:3021)
> ==21721== by 0x45941D: do_cmdline (ex_docmd.c:1160)
> ==21721== by 0x5D34EC: exe_commands (main.c:2923)
> ==21721== by 0x5D34EC: vim_main2 (main.c:790)
> (several more errors after that)
>
>
> Doing a git bissection, I see that it's
> a regression introduced by patch 7.4.1980:
>
> ===
> commit 361c8f0e517e41f1f1d34dae328044406fde80ac
> Author: Bram Moolenaar <[email protected]>
> Date: Sat Jul 2 15:41:47 2016 +0200
>
> patch 7.4.1980
> Problem: 'errorformat' is parsed for every call to ":caddexpr".
> Can't add
> to two location lists asynchronously.
> Solution: Keep the previously parsed data when appropriate. (mostly by
> Yegappan Lakshmanan)
> ===
Thanks. Looks it happens because of not resetting qf_last.
I made a patch.
--
ARTHUR: Will you ask your master if he wants to join my court at Camelot?!
GUARD #1: But then of course African swallows are not migratory.
GUARD #2: Oh, yeah...
GUARD #1: So they couldn't bring a coconut back anyway...
The Quest for the Holy Grail (Monty Python)
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
