Hi afl-fuzz fuzzer came up with the following command, which causes access to uninitialized memory in Vim-7-4-909:
$ valgrind --track-origins=yes 2> valgrind.log \ vim -u NONE -c 'syn keyword x nextgroup=\(\1\)' In valgrind.log: ==4366== Memcheck, a memory error detector ==4366== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==4366== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info ==4366== Command: ./vim -u NONE -c syn\ keyword\ x\ nextgroup=\\(\\1\\) ==4366== ==4366== Conditional jump or move depends on uninitialised value(s) ==4366== at 0x55246B: match_backref (regexp_nfa.c:4882) ==4366== by 0x555276: nfa_regmatch (regexp_nfa.c:6398) ==4366== by 0x556214: nfa_regtry (regexp_nfa.c:6894) ==4366== by 0x5569DF: nfa_regexec_both (regexp_nfa.c:7085) ==4366== by 0x556D6A: nfa_regexec_nl (regexp_nfa.c:7247) ==4366== by 0x55702D: vim_regexec_both (regexp.c:8179) ==4366== by 0x5571BD: vim_regexec (regexp.c:8238) ==4366== by 0x5A90B8: get_id_list (syntax.c:6027) ==4366== by 0x5A5C2F: get_syn_options (syntax.c:4602) ==4366== by 0x5A63C4: syn_cmd_keyword (syntax.c:4840) ==4366== by 0x5A97B3: ex_syntax (syntax.c:6296) ==4366== by 0x46E052: do_one_cmd (ex_docmd.c:2961) ==4366== Uninitialised value was created by a heap allocation ==4366== at 0x4C2AB80: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==4366== by 0x4E27E3: lalloc (misc2.c:921) ==4366== by 0x5530D0: nfa_regmatch (regexp_nfa.c:5474) ==4366== by 0x556214: nfa_regtry (regexp_nfa.c:6894) ==4366== by 0x5569DF: nfa_regexec_both (regexp_nfa.c:7085) ==4366== by 0x556D6A: nfa_regexec_nl (regexp_nfa.c:7247) ==4366== by 0x55702D: vim_regexec_both (regexp.c:8179) ==4366== by 0x5571BD: vim_regexec (regexp.c:8238) ==4366== by 0x5A90B8: get_id_list (syntax.c:6027) ==4366== by 0x5A5C2F: get_syn_options (syntax.c:4602) ==4366== by 0x5A63C4: syn_cmd_keyword (syntax.c:4840) ==4366== by 0x5A97B3: ex_syntax (syntax.c:6296) Regards Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
