Hi Vim-7.4.824 (and older) accesses uninitialized memory which can sometimes cause a crash when calling vim_free(...) with an invalid pointer in clear_tv(). Bug can be reproduced with:
$ valgrind --track-origins=yes vim -u NONE -S bug-tv.vim -c q ... where bug-tv.vim is the attached file. Bug was found with afl-fuzz. Attached patch fixes it. Valgrind reports: ==3711== Memcheck, a memory error detector ==3711== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==3711== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info ==3711== Command: /home/pel/sb/vim/src/vim -u NONE -S bug-tv.vim -c q ==3711== Parent PID: 2711 ==3711== ==3711== Conditional jump or move depends on uninitialised value(s) ==3711== at 0x44294D: clear_tv (eval.c:21076) ==3711== by 0x453B5A: eval_index (eval.c:5435) ==3711== by 0x446FF8: handle_subscript (eval.c:20987) ==3711== by 0x46EB4A: eval7 (eval.c:5274) ==3711== by 0x46E01E: eval6 (eval.c:4889) ==3711== by 0x46DB84: eval5 (eval.c:4705) ==3711== by 0x46CDBA: eval4 (eval.c:4398) ==3711== by 0x46CB99: eval3 (eval.c:4310) ==3711== by 0x46C989: eval2 (eval.c:4239) ==3711== by 0x442B82: eval1 (eval.c:4164) ==3711== by 0x44C056: ex_echo (eval.c:22053) ==3711== by 0x49053A: do_one_cmd (ex_docmd.c:2941) ==3711== by 0x48BDFD: do_cmdline (ex_docmd.c:1133) ==3711== by 0x489569: do_source (ex_cmds2.c:3353) ==3711== by 0x488ABA: cmd_source (ex_cmds2.c:2962) ==3711== by 0x488BAE: ex_source (ex_cmds2.c:2935) ==3711== by 0x49053A: do_one_cmd (ex_docmd.c:2941) ==3711== by 0x48BDFD: do_cmdline (ex_docmd.c:1133) ==3711== by 0x48CCA5: do_cmdline_cmd (ex_docmd.c:738) ==3711== by 0x677877: exe_commands (main.c:2926) ==3711== by 0x67438C: main (main.c:961) ==3711== Uninitialised value was created by a stack allocation ==3711== at 0x453780: eval_index (eval.c:5350) ==3711== ==3711== Use of uninitialised value of size 8 ==3711== at 0x442957: clear_tv (eval.c:21076) ==3711== by 0x453B5A: eval_index (eval.c:5435) ==3711== by 0x446FF8: handle_subscript (eval.c:20987) ==3711== by 0x46EB4A: eval7 (eval.c:5274) ==3711== by 0x46E01E: eval6 (eval.c:4889) ==3711== by 0x46DB84: eval5 (eval.c:4705) ==3711== by 0x46CDBA: eval4 (eval.c:4398) ==3711== by 0x46CB99: eval3 (eval.c:4310) ==3711== by 0x46C989: eval2 (eval.c:4239) ==3711== by 0x442B82: eval1 (eval.c:4164) ==3711== by 0x44C056: ex_echo (eval.c:22053) ==3711== by 0x49053A: do_one_cmd (ex_docmd.c:2941) ==3711== by 0x48BDFD: do_cmdline (ex_docmd.c:1133) ==3711== by 0x489569: do_source (ex_cmds2.c:3353) ==3711== by 0x488ABA: cmd_source (ex_cmds2.c:2962) ==3711== by 0x488BAE: ex_source (ex_cmds2.c:2935) ==3711== by 0x49053A: do_one_cmd (ex_docmd.c:2941) ==3711== by 0x48BDFD: do_cmdline (ex_docmd.c:1133) ==3711== by 0x48CCA5: do_cmdline_cmd (ex_docmd.c:738) ==3711== by 0x677877: exe_commands (main.c:2926) ==3711== by 0x67438C: main (main.c:961) ==3711== Uninitialised value was created by a stack allocation ==3711== at 0x453780: eval_index (eval.c:5350) Regards Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
bug-tv.vim
Description: Binary data
diff -r a9290d3ec4ed src/eval.c
--- a/src/eval.c Wed Aug 12 22:56:58 2015 +0200
+++ b/src/eval.c Thu Aug 13 22:05:46 2015 +0200
@@ -5371,6 +5371,8 @@
}
#endif
+ init_tv(&var1);
+ init_tv(&var2);
if (**arg == '.')
{
/*
