Hi
afl-fuzz found this case which causes access
to freed memory in vim-8.0.566 and older:
$ cat bug.vim
func Indent()
set indentexpr=
endfunc
set indentexpr=Indent()
call feedkeys("i\<c-f>", 'x')
q
$ valgrind --num-callers=50 vim -uNONE -S bug.vim 2>vg.log
And vg.log contains:
==12968== Memcheck, a memory error detector
==12968== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==12968== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==12968== Command: vim -uNONE -S bug.vim
==12968==
==12968== Invalid read of size 1
==12968== at 0x643A16: skipwhite (charset.c:1533)
==12968== by 0x618459: get_func_tv (userfunc.c:471)
==12968== by 0x4463F3: eval7 (eval.c:4332)
==12968== by 0x445AFE: eval6 (eval.c:3969)
==12968== by 0x4456C4: eval5 (eval.c:3785)
==12968== by 0x444A1A: eval4 (eval.c:3484)
==12968== by 0x444829: eval3 (eval.c:3401)
==12968== by 0x439E89: eval2 (eval.c:3333)
==12968== by 0x435B52: eval1 (eval.c:3261)
==12968== by 0x435F9B: eval_to_number (eval.c:827)
==12968== by 0x4FA338: get_expr_indent (misc1.c:9271)
==12968== by 0x42F3FE: fixthisline (edit.c:7920)
==12968== by 0x4F454D: do_c_expr_indent (misc1.c:5401)
==12968== by 0x4207B6: edit (edit.c:1590)
==12968== by 0x52B197: invoke_edit (normal.c:9173)
==12968== by 0x52490E: nv_edit (normal.c:9143)
==12968== by 0x51AB71: normal_cmd (normal.c:1150)
==12968== by 0x4859CE: exec_normal (ex_docmd.c:10475)
==12968== by 0x44BA7B: f_feedkeys (evalfunc.c:3206)
==12968== by 0x4474C0: call_internal_func (evalfunc.c:991)
==12968== by 0x618B01: call_func (userfunc.c:1446)
==12968== by 0x6183A3: get_func_tv (userfunc.c:455)
==12968== by 0x61E268: ex_call (userfunc.c:3062)
==12968== by 0x47E9F2: do_one_cmd (ex_docmd.c:3021)
==12968== by 0x47AD35: do_cmdline (ex_docmd.c:1160)
==12968== by 0x4786F8: do_source (ex_cmds2.c:4313)
==12968== by 0x477D76: cmd_source (ex_cmds2.c:3926)
==12968== by 0x477DCB: ex_source (ex_cmds2.c:3901)
==12968== by 0x47E9F2: do_one_cmd (ex_docmd.c:3021)
==12968== by 0x47AD35: do_cmdline (ex_docmd.c:1160)
==12968== by 0x47BAB5: do_cmdline_cmd (ex_docmd.c:760)
==12968== by 0x64AA61: exe_commands (main.c:2923)
==12968== by 0x649718: vim_main2 (main.c:790)
==12968== by 0x6473F3: main (main.c:419)
==12968== Address 0x769b518 is 8 bytes inside a block of size 9 free'd
==12968== at 0x4C2BCEF: free (vg_replace_malloc.c:530)
==12968== by 0x50733D: vim_free (misc2.c:1793)
==12968== by 0x53F7C6: free_string_option (option.c:5713)
==12968== by 0x54A383: did_set_string_option (option.c:7499)
==12968== by 0x541B74: do_set (option.c:5124)
==12968== by 0x48D0CB: ex_set (ex_docmd.c:12280)
==12968== by 0x47E9F2: do_one_cmd (ex_docmd.c:3021)
==12968== by 0x47AD35: do_cmdline (ex_docmd.c:1160)
==12968== by 0x619DA2: call_user_func (userfunc.c:942)
==12968== by 0x618A68: call_func (userfunc.c:1427)
==12968== by 0x6183A3: get_func_tv (userfunc.c:455)
==12968== by 0x4463F3: eval7 (eval.c:4332)
==12968== by 0x445AFE: eval6 (eval.c:3969)
==12968== by 0x4456C4: eval5 (eval.c:3785)
==12968== by 0x444A1A: eval4 (eval.c:3484)
==12968== by 0x444829: eval3 (eval.c:3401)
==12968== by 0x439E89: eval2 (eval.c:3333)
==12968== by 0x435B52: eval1 (eval.c:3261)
==12968== by 0x435F9B: eval_to_number (eval.c:827)
==12968== by 0x4FA338: get_expr_indent (misc1.c:9271)
==12968== by 0x42F3FE: fixthisline (edit.c:7920)
==12968== by 0x4F454D: do_c_expr_indent (misc1.c:5401)
==12968== by 0x4207B6: edit (edit.c:1590)
==12968== by 0x52B197: invoke_edit (normal.c:9173)
==12968== by 0x52490E: nv_edit (normal.c:9143)
==12968== by 0x51AB71: normal_cmd (normal.c:1150)
==12968== by 0x4859CE: exec_normal (ex_docmd.c:10475)
==12968== by 0x44BA7B: f_feedkeys (evalfunc.c:3206)
==12968== by 0x4474C0: call_internal_func (evalfunc.c:991)
==12968== by 0x618B01: call_func (userfunc.c:1446)
==12968== by 0x6183A3: get_func_tv (userfunc.c:455)
==12968== by 0x61E268: ex_call (userfunc.c:3062)
==12968== by 0x47E9F2: do_one_cmd (ex_docmd.c:3021)
==12968== by 0x47AD35: do_cmdline (ex_docmd.c:1160)
==12968== by 0x4786F8: do_source (ex_cmds2.c:4313)
==12968== by 0x477D76: cmd_source (ex_cmds2.c:3926)
==12968== by 0x477DCB: ex_source (ex_cmds2.c:3901)
==12968== by 0x47E9F2: do_one_cmd (ex_docmd.c:3021)
==12968== by 0x47AD35: do_cmdline (ex_docmd.c:1160)
==12968== by 0x47BAB5: do_cmdline_cmd (ex_docmd.c:760)
==12968== by 0x64AA61: exe_commands (main.c:2923)
==12968== by 0x649718: vim_main2 (main.c:790)
==12968== by 0x6473F3: main (main.c:419)
==12968== Block was alloc'd at
==12968== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299)
==12968== by 0x50646A: lalloc (misc2.c:942)
==12968== by 0x506407: alloc (misc2.c:840)
==12968== by 0x5410DE: do_set (option.c:4914)
==12968== by 0x48D0CB: ex_set (ex_docmd.c:12280)
==12968== by 0x47E9F2: do_one_cmd (ex_docmd.c:3021)
==12968== by 0x47AD35: do_cmdline (ex_docmd.c:1160)
==12968== by 0x4786F8: do_source (ex_cmds2.c:4313)
==12968== by 0x477D76: cmd_source (ex_cmds2.c:3926)
==12968== by 0x477DCB: ex_source (ex_cmds2.c:3901)
==12968== by 0x47E9F2: do_one_cmd (ex_docmd.c:3021)
==12968== by 0x47AD35: do_cmdline (ex_docmd.c:1160)
==12968== by 0x47BAB5: do_cmdline_cmd (ex_docmd.c:760)
==12968== by 0x64AA61: exe_commands (main.c:2923)
==12968== by 0x649718: vim_main2 (main.c:790)
==12968== by 0x6473F3: main (main.c:419)
==12968==
(more errors after that)
Regards
Dominique
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
