Hi
Fuzzing with afl-fuzz found another crash in Vim.
It happens in vim-7.4.1073 (and older), but it does not
happen in Vim-7.4.52 which comes with xubuntu-14.04.
Steps to reproduce:
$ vim -u NONE -c 'com -a='
Vim: Caught deadly signal SEGV
Vim: Finished.
Segmentation fault (core dumped)
Valgrind says:
==17621== Memcheck, a memory error detector
==17621== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==17621== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==17621== Command: ./vim -u NONE -c com!\ -a=
==17621== Parent PID: 16430
==17621==
==17621== Invalid read of size 1
==17621== at 0x4766C3: parse_addr_type_arg (ex_docmd.c:6933)
==17621== by 0x475251: uc_scan_attr (ex_docmd.c:6226)
==17621== by 0x475384: ex_command (ex_docmd.c:6271)
==17621== by 0x46F007: do_one_cmd (ex_docmd.c:2962)
==17621== by 0x46BCF5: do_cmdline (ex_docmd.c:1133)
==17621== by 0x46B331: do_cmdline_cmd (ex_docmd.c:738)
==17621== by 0x5DF33B: exe_commands (main.c:2928)
==17621== by 0x5DC91D: main (main.c:962)
==17621== Address 0x76aa2a9 is 0 bytes after a block of size 9 alloc'd
==17621== at 0x4C2AB80: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==17621== by 0x4E38DF: lalloc (misc2.c:951)
==17621== by 0x4E37AD: alloc (misc2.c:835)
==17621== by 0x4E3D2D: vim_strsave (misc2.c:1289)
==17621== by 0x46BB1F: do_cmdline (ex_docmd.c:1063)
==17621== by 0x46B331: do_cmdline_cmd (ex_docmd.c:738)
==17621== by 0x5DF33B: exe_commands (main.c:2928)
==17621== by 0x5DC91D: main (main.c:962)
(...more errors after that...)
I did a bisection:
vim-7.4.542 -> crash
vim-7.4.541 -> OK
So regression was introduced by this patch:
commit f1d6ccf2f9c8a8ae2c0ec4577946397c103ead2b
Author: Bram Moolenaar <[email protected]>
Date: Mon Dec 8 04:16:44 2014 +0100
updated for version 7.4.542
Problem: Using a range for window and buffer commands has a few problems.
Cannot specify the type of range for a user command.
Solution: Add the -addr argument for user commands. Fix problems. (Marcin
Szamotulski)
Attached patch fixes the crash.
Regards
Dominique
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
diff --git a/src/ex_docmd.c b/src/ex_docmd.c
index ac713dc..5b1a7b1 100644
--- a/src/ex_docmd.c
+++ b/src/ex_docmd.c
@@ -6930,7 +6930,7 @@ parse_addr_type_arg(value, vallen, argt, addr_type_arg)
if (addr_type_complete[i].expand == -1)
{
char_u *err = value;
- for (i=0; err[i] == NUL || !vim_iswhite(err[i]); i++);
+ for (i = 0; err[i] != NUL && !vim_iswhite(err[i]); i++);
err[i] = NUL;
EMSG2(_("E180: Invalid address type value: %s"), err);
return FAIL;
