Dominique wrote:
> Valgrind detects use of uninitialized memory when doing:
>
> $ valgrind --track-origins=yes \
> vim -u NONE -c '/\(\&\|\1\)\(x\)' 2> vg.log
>
> Vim gives:
>
> Error detected while processing /home/pel/sb/vim/src/undef.vim:
> line 1:
> E486: Pattern not found: \(\&\|\1\)\(x\)
> Press ENTER or type command to continue
>
> I would expect Vim to detect an invalid back reference here
> instead of saying "Pattern not found". And valgrind log file
> vg.log shows access to uninitialized memory:
>
> ==6067== Memcheck, a memory error detector
> ==6067== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
> ==6067== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright
> info
> ==6067== Command: ./vim -u NONE -c /\\(\\&\\|\\1\\)\\(x\\)
> ==6067==
> ==6067== Conditional jump or move depends on uninitialised value(s)
> ==6067== at 0x5010C6: sub_equal (regexp_nfa.c:4027)
> ==6067== by 0x5029F7: has_state_with_pos.isra.16 (regexp_nfa.c:4109)
> ==6067== by 0x502C2B: addstate (regexp_nfa.c:4379)
> ==6067== by 0x502E03: addstate (regexp_nfa.c:4547)
> ==6067== by 0x502ED3: addstate (regexp_nfa.c:4651)
> ==6067== by 0x5032B2: addstate_here (regexp_nfa.c:4692)
> ==6067== by 0x51890E: nfa_regmatch (regexp_nfa.c:6699)
> ==6067== by 0x51AB3F: nfa_regtry (regexp_nfa.c:6893)
> ==6067== by 0x51AF62: nfa_regexec_both (regexp_nfa.c:7084)
> ==6067== by 0x51E9A8: vim_regexec_multi (regexp.c:8276)
> ==6067== by 0x53184B: searchit (search.c:714)
> ==6067== by 0x532725: do_search (search.c:1432)
> ==6067== Uninitialised value was created by a heap allocation
> ==6067== at 0x4C2AB80: malloc (in
> /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==6067== by 0x4C0B2A: lalloc (misc2.c:921)
> ==6067== by 0x518391: nfa_regmatch (regexp_nfa.c:5473)
> ==6067== by 0x51AB3F: nfa_regtry (regexp_nfa.c:6893)
> ==6067== by 0x51AF62: nfa_regexec_both (regexp_nfa.c:7084)
> ==6067== by 0x51E9A8: vim_regexec_multi (regexp.c:8276)
> ==6067== by 0x53184B: searchit (search.c:714)
> ==6067== by 0x532725: do_search (search.c:1432)
> ==6067== by 0x45E401: get_address (ex_docmd.c:4508)
> ==6067== by 0x46613F: do_cmdline (ex_docmd.c:2183)
> ==6067== by 0x409464: main (main.c:2926)
> .... snip more errors after that....
>
> Code in regexp_nfa.c:4027 where error is detected:
>
> 3986 static int
> 3987 sub_equal(sub1, sub2)
> 3988 regsub_T *sub1;
> 3989 regsub_T *sub2;
> 3990 {
> ....
> 4026 s2 = -1;
> !!4027 if (s1 != s2)
> 4028 return FALSE;
> 4029 if (s1 != -1 && sub1->list.multi[i].end_col
> 4030 !=
> sub2->list.multi[i].end_col)
> 4031 return FALSE;
>
> Adding some printf(), I can see that neither s1 nor s2
> are initialized at line 4027.
>
> Valgrind does not complain when using the old regexp engine (re=1)
> with the same regexp:
>
> $ valgrind --track-origins=yes \
> vim -c 'set re=1' -u NONE -c '/\(\&\|\1\)\(x\)' 2> vg.log
>
> With the old regexp engine, vim properly detects the invalid
> regexp saying:
>
> Error detected while processing /home/pel/sb/vim/src/undef.vim:
> line 1:
> E65: Illegal back reference
>
> The bug was found using afl-fuzz. I don't know how to fix it.
Thanks for reporting.
--
When a fly lands on the ceiling, does it do a half roll or
a half loop?
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
