Hi
afl-fuzz (American Fuzzy Lop) found this case
which causes Vim-7.4.1558 to segfault:
$ cat crash.vim
let s:v= {}
let s:x = {"a": s:v}
let s:v["b"] = s:x
let s:w = {"c": s:x,"d": ''}
call assert_equal(s:w, '')
$ vim -u NONE -N -S crash.vim
Vim: Caught deadly signal SEGV
Press ENTER or type command to continueVim: Finished.
Segmentation fault (core dumped)
Valgrind reports:
==3644== Memcheck, a memory error detector
==3644== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==3644== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==3644== Command: ./vim -u NONE -N -S crash.vim
==3644==
==3644== Invalid read of size 1
==3644== at 0x8083A6F: ga_concat_esc (eval.c:9165)
==3644== by 0x8083B37: fill_assert_error (eval.c:9211)
==3644== by 0x8083C70: f_assert_equal (eval.c:9247)
==3644== by 0x80830C6: call_func (eval.c:8798)
==3644== by 0x8082B9A: get_func_tv (eval.c:8597)
==3644== by 0x807B6CB: ex_call (eval.c:3526)
==3644== by 0x80B78EB: do_one_cmd (ex_docmd.c:2921)
==3644== by 0x80B4BF7: do_cmdline (ex_docmd.c:1107)
==3644== by 0x80B2B42: do_source (ex_cmds2.c:3727)
==3644== by 0x80B223A: cmd_source (ex_cmds2.c:3340)
==3644== by 0x80B2198: ex_source (ex_cmds2.c:3315)
==3644== by 0x80B78EB: do_one_cmd (ex_docmd.c:2921)
==3644== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==3644==
9159 static void
9160 ga_concat_esc(garray_T *gap, char_u *str)
9161 {
9162 char_u *p;
9163 char_u buf[NUMBUFLEN];
9164
9165 for (p = str; *p != NUL; ++p)
9166 switch (*p)
9167 {
9190 static void
9191 fill_assert_error(
....
9211 ga_concat_esc(gap, tv2string(exp_tv, &tofree, numbuf, 0));
ga_concat_esc(...) is called with str being NULL
(returned value of tv2string at line 9211) which causes
the segfault at line 9165.
Attached patch fixes the crash, but I'm not sure
whether it's the best way to fix it.
Regards
Dominique
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
diff --git a/src/eval.c b/src/eval.c
index e045a67..e4dff58 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -9162,6 +9162,8 @@ ga_concat_esc(garray_T *gap, char_u *str)
char_u *p;
char_u buf[NUMBUFLEN];
+ if (str == NULL)
+ return;
for (p = str; *p != NUL; ++p)
switch (*p)
{
