Dominique Pellé wrote:
> afl-fuzz found this case which causes access
> to freed memory in vim-8.0.566 and older:
>
> $ cat bug.vim
> func Indent()
> set indentexpr=
> endfunc
> set indentexpr=Indent()
> call feedkeys("i\<c-f>", 'x')
> q
>
> $ valgrind --num-callers=50 vim -uNONE -S bug.vim 2>vg.log
>
> And vg.log contains:
>
> ==12968== Memcheck, a memory error detector
> ==12968== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
> ==12968== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright
> info
> ==12968== Command: vim -uNONE -S bug.vim
> ==12968==
> ==12968== Invalid read of size 1
> ==12968== at 0x643A16: skipwhite (charset.c:1533)
> ==12968== by 0x618459: get_func_tv (userfunc.c:471)
> ==12968== by 0x4463F3: eval7 (eval.c:4332)
> ==12968== by 0x445AFE: eval6 (eval.c:3969)
> ==12968== by 0x4456C4: eval5 (eval.c:3785)
> ==12968== by 0x444A1A: eval4 (eval.c:3484)
> ==12968== by 0x444829: eval3 (eval.c:3401)
> ==12968== by 0x439E89: eval2 (eval.c:3333)
> ==12968== by 0x435B52: eval1 (eval.c:3261)
> ==12968== by 0x435F9B: eval_to_number (eval.c:827)
> ==12968== by 0x4FA338: get_expr_indent (misc1.c:9271)
> ==12968== by 0x42F3FE: fixthisline (edit.c:7920)
> ==12968== by 0x4F454D: do_c_expr_indent (misc1.c:5401)
> ==12968== by 0x4207B6: edit (edit.c:1590)
> ==12968== by 0x52B197: invoke_edit (normal.c:9173)
> ==12968== by 0x52490E: nv_edit (normal.c:9143)
> ==12968== by 0x51AB71: normal_cmd (normal.c:1150)
> ==12968== by 0x4859CE: exec_normal (ex_docmd.c:10475)
> ==12968== by 0x44BA7B: f_feedkeys (evalfunc.c:3206)
> ==12968== by 0x4474C0: call_internal_func (evalfunc.c:991)
> ==12968== by 0x618B01: call_func (userfunc.c:1446)
> ==12968== by 0x6183A3: get_func_tv (userfunc.c:455)
> ==12968== by 0x61E268: ex_call (userfunc.c:3062)
> ==12968== by 0x47E9F2: do_one_cmd (ex_docmd.c:3021)
> ==12968== by 0x47AD35: do_cmdline (ex_docmd.c:1160)
> ==12968== by 0x4786F8: do_source (ex_cmds2.c:4313)
> ==12968== by 0x477D76: cmd_source (ex_cmds2.c:3926)
> ==12968== by 0x477DCB: ex_source (ex_cmds2.c:3901)
> ==12968== by 0x47E9F2: do_one_cmd (ex_docmd.c:3021)
> ==12968== by 0x47AD35: do_cmdline (ex_docmd.c:1160)
> ==12968== by 0x47BAB5: do_cmdline_cmd (ex_docmd.c:760)
> ==12968== by 0x64AA61: exe_commands (main.c:2923)
> ==12968== by 0x649718: vim_main2 (main.c:790)
> ==12968== by 0x6473F3: main (main.c:419)
> ==12968== Address 0x769b518 is 8 bytes inside a block of size 9 free'd
> ==12968== at 0x4C2BCEF: free (vg_replace_malloc.c:530)
> ==12968== by 0x50733D: vim_free (misc2.c:1793)
> ==12968== by 0x53F7C6: free_string_option (option.c:5713)
> ==12968== by 0x54A383: did_set_string_option (option.c:7499)
> ==12968== by 0x541B74: do_set (option.c:5124)
> ==12968== by 0x48D0CB: ex_set (ex_docmd.c:12280)
> ==12968== by 0x47E9F2: do_one_cmd (ex_docmd.c:3021)
> ==12968== by 0x47AD35: do_cmdline (ex_docmd.c:1160)
> ==12968== by 0x619DA2: call_user_func (userfunc.c:942)
> ==12968== by 0x618A68: call_func (userfunc.c:1427)
> ==12968== by 0x6183A3: get_func_tv (userfunc.c:455)
> ==12968== by 0x4463F3: eval7 (eval.c:4332)
> ==12968== by 0x445AFE: eval6 (eval.c:3969)
> ==12968== by 0x4456C4: eval5 (eval.c:3785)
> ==12968== by 0x444A1A: eval4 (eval.c:3484)
> ==12968== by 0x444829: eval3 (eval.c:3401)
> ==12968== by 0x439E89: eval2 (eval.c:3333)
> ==12968== by 0x435B52: eval1 (eval.c:3261)
> ==12968== by 0x435F9B: eval_to_number (eval.c:827)
> ==12968== by 0x4FA338: get_expr_indent (misc1.c:9271)
> ==12968== by 0x42F3FE: fixthisline (edit.c:7920)
> ==12968== by 0x4F454D: do_c_expr_indent (misc1.c:5401)
> ==12968== by 0x4207B6: edit (edit.c:1590)
> ==12968== by 0x52B197: invoke_edit (normal.c:9173)
> ==12968== by 0x52490E: nv_edit (normal.c:9143)
> ==12968== by 0x51AB71: normal_cmd (normal.c:1150)
> ==12968== by 0x4859CE: exec_normal (ex_docmd.c:10475)
> ==12968== by 0x44BA7B: f_feedkeys (evalfunc.c:3206)
> ==12968== by 0x4474C0: call_internal_func (evalfunc.c:991)
> ==12968== by 0x618B01: call_func (userfunc.c:1446)
> ==12968== by 0x6183A3: get_func_tv (userfunc.c:455)
> ==12968== by 0x61E268: ex_call (userfunc.c:3062)
> ==12968== by 0x47E9F2: do_one_cmd (ex_docmd.c:3021)
> ==12968== by 0x47AD35: do_cmdline (ex_docmd.c:1160)
> ==12968== by 0x4786F8: do_source (ex_cmds2.c:4313)
> ==12968== by 0x477D76: cmd_source (ex_cmds2.c:3926)
> ==12968== by 0x477DCB: ex_source (ex_cmds2.c:3901)
> ==12968== by 0x47E9F2: do_one_cmd (ex_docmd.c:3021)
> ==12968== by 0x47AD35: do_cmdline (ex_docmd.c:1160)
> ==12968== by 0x47BAB5: do_cmdline_cmd (ex_docmd.c:760)
> ==12968== by 0x64AA61: exe_commands (main.c:2923)
> ==12968== by 0x649718: vim_main2 (main.c:790)
> ==12968== by 0x6473F3: main (main.c:419)
> ==12968== Block was alloc'd at
> ==12968== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299)
> ==12968== by 0x50646A: lalloc (misc2.c:942)
> ==12968== by 0x506407: alloc (misc2.c:840)
> ==12968== by 0x5410DE: do_set (option.c:4914)
> ==12968== by 0x48D0CB: ex_set (ex_docmd.c:12280)
> ==12968== by 0x47E9F2: do_one_cmd (ex_docmd.c:3021)
> ==12968== by 0x47AD35: do_cmdline (ex_docmd.c:1160)
> ==12968== by 0x4786F8: do_source (ex_cmds2.c:4313)
> ==12968== by 0x477D76: cmd_source (ex_cmds2.c:3926)
> ==12968== by 0x477DCB: ex_source (ex_cmds2.c:3901)
> ==12968== by 0x47E9F2: do_one_cmd (ex_docmd.c:3021)
> ==12968== by 0x47AD35: do_cmdline (ex_docmd.c:1160)
> ==12968== by 0x47BAB5: do_cmdline_cmd (ex_docmd.c:760)
> ==12968== by 0x64AA61: exe_commands (main.c:2923)
> ==12968== by 0x649718: vim_main2 (main.c:790)
> ==12968== by 0x6473F3: main (main.c:419)
> ==12968==
> (more errors after that)
Thanks for reporting this problem!
--
ARTHUR: Well, I can't just call you `Man'.
DENNIS: Well, you could say `Dennis'.
ARTHUR: Well, I didn't know you were called `Dennis.'
DENNIS: Well, you didn't bother to find out, did you?
The Quest for the Holy Grail (Monty Python)
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
