Hi afl-fuzz found a crash with vim-7.4.1273 (and older). Vim-7.4.52 that comes with xubuntu-14.04 does not crash.
I did a 'git bisect' to find when regression was introduced and crash was introduced in this commit: === $ git bisect bad e0ad365498399c1bd34dd6361b3f7dc38e84e4ca is the first bad commit commit e0ad365498399c1bd34dd6361b3f7dc38e84e4ca Author: Bram Moolenaar <[email protected]> Date: Tue Jan 27 12:59:55 2015 +0100 updated for version 7.4.593 Problem: Crash when searching for "x\{0,90000}". (Dominique Pelle) Solution: Bail out from the NFA engine when the max limit is much higher than the min limit. === Steps to reproduce the crash: $ vim -u NONE -N -S crash.vim Vim: Caught deadly signal SEGV Press ENTER or type command to continueVim: Finished. Segmentation fault (core dumped) Where crash.vim is the attached file. Looking with gdb, vim crashes at ex_eval.c:1581 when dereferencing current_exception which is NULL: Program received signal SIGSEGV, Segmentation fault. ex_catch (eap=0x7fffffffc510) at ex_eval.c:1581 1563│ save_cpo = p_cpo; 1564│ p_cpo = (char_u *)""; ! 1565│ regmatch.regprog = vim_regcomp(pat, RE_MAGIC + RE_STRING); 1566│ regmatch.rm_ic = FALSE; 1567│ if (end != NULL) 1568│ *end = save_char; 1570│ if (regmatch.regprog == NULL) 1571│ EMSG2(_(e_invarg2), pat); 1572│ else 1573│ { 1574│ /* 1575│ * Save the value of got_int and reset it. We don't want 1576│ * a previous interruption cancel matching, only hitting 1577│ * CTRL-C while matching should abort it. 1578│ */ 1579│ prev_got_int = got_int; 1580│ got_int = FALSE; !!1581├> caught = vim_regexec_nl(®match, current_exception->value, 1582│ (colnr_T)0); 1583│ got_int |= prev_got_int; 1584│ vim_regfree(regmatch.regprog); 1585│ (gdb) bt #0 ex_catch (eap=0x7fffffffc510) at ex_eval.c:1581 #1 0x0000000000467f33 in do_one_cmd (cookie=0x7fffffffcb30, fgetline=0x45c750 <getsourceline>, cstack=0x7fffffffc5e0, sourcing=1, cmdlinep=0x7fffffffc460) at ex_docmd.c:2930 #2 do_cmdline (cmdline=cmdline@entry=0x86ce10 "s", fgetline=fgetline@entry=0x45c750 <getsourceline>, cookie=cookie@entry=0x7fffffffcb30, flags=flags@entry=7) at ex_docmd.c:1116 #3 0x000000000045cce2 in do_source (fname=fname@entry=0x86cbb3 "crash.vim", check_other=check_other@entry=0, is_vimrc=is_vimrc@entry=0) at ex_cmds2.c:3469 #4 0x000000000045d36c in cmd_source (fname=0x86cbb3 "crash.vim", eap=<optimized out>) at ex_cmds2.c:3082 #5 0x0000000000467f33 in do_one_cmd (cookie=0x0, fgetline=0x0, cstack=0x7fffffffcef0, sourcing=1, cmdlinep=0x7fffffffcd70) at ex_docmd.c:2930 #6 do_cmdline (cmdline=cmdline@entry=0x825b80 "so crash.vim", fgetline=fgetline@entry=0x0, cookie=cookie@entry=0x0, flags=flags@entry=11) at ex_docmd.c:1116 #7 0x000000000046bbee in do_cmdline_cmd (cmd=cmd@entry=0x825b80 "so crash.vim") at ex_docmd.c:721 #8 0x0000000000409031 in exe_commands (parmp=0x7fffffffd460) at main.c:2917 #9 main (argc=<optimized out>, argv=<optimized out>) at main.c:960 (gdb) p current_exception $1 = (except_T *) 0x0 (gdb) p did_throw $2 = 0 I see that the block of code should not be entered if did_throw was 0 (see if at ex_eval.c:1538). And in fact did_throw was 1 at line 1538, but it got changed later to 0 when calling vim_regcomp(....) at line ex_eval.c:1565. Not sure how to fix this. Regards Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
crash.vim
Description: Binary data
