Dominique wrote:
> afl-fuzz (American Fuzzy Lop) found this case
> which causes Vim-7.4.1558 to segfault:
>
> $ cat crash.vim
> let s:v= {}
> let s:x = {"a": s:v}
> let s:v["b"] = s:x
> let s:w = {"c": s:x,"d": ''}
> call assert_equal(s:w, '')
>
> $ vim -u NONE -N -S crash.vim
> Vim: Caught deadly signal SEGV
> Press ENTER or type command to continueVim: Finished.
> Segmentation fault (core dumped)
>
> Valgrind reports:
>
> ==3644== Memcheck, a memory error detector
> ==3644== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
> ==3644== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
> ==3644== Command: ./vim -u NONE -N -S crash.vim
> ==3644==
> ==3644== Invalid read of size 1
> ==3644== at 0x8083A6F: ga_concat_esc (eval.c:9165)
> ==3644== by 0x8083B37: fill_assert_error (eval.c:9211)
> ==3644== by 0x8083C70: f_assert_equal (eval.c:9247)
> ==3644== by 0x80830C6: call_func (eval.c:8798)
> ==3644== by 0x8082B9A: get_func_tv (eval.c:8597)
> ==3644== by 0x807B6CB: ex_call (eval.c:3526)
> ==3644== by 0x80B78EB: do_one_cmd (ex_docmd.c:2921)
> ==3644== by 0x80B4BF7: do_cmdline (ex_docmd.c:1107)
> ==3644== by 0x80B2B42: do_source (ex_cmds2.c:3727)
> ==3644== by 0x80B223A: cmd_source (ex_cmds2.c:3340)
> ==3644== by 0x80B2198: ex_source (ex_cmds2.c:3315)
> ==3644== by 0x80B78EB: do_one_cmd (ex_docmd.c:2921)
> ==3644== Address 0x0 is not stack'd, malloc'd or (recently) free'd
> ==3644==
>
> 9159 static void
> 9160 ga_concat_esc(garray_T *gap, char_u *str)
> 9161 {
> 9162 char_u *p;
> 9163 char_u buf[NUMBUFLEN];
> 9164
> 9165 for (p = str; *p != NUL; ++p)
> 9166 switch (*p)
> 9167 {
>
> 9190 static void
> 9191 fill_assert_error(
> ....
> 9211 ga_concat_esc(gap, tv2string(exp_tv, &tofree, numbuf, 0));
>
> ga_concat_esc(...) is called with str being NULL
> (returned value of tv2string at line 9211) which causes
> the segfault at line 9165.
>
> Attached patch fixes the crash, but I'm not sure
> whether it's the best way to fix it.
Thanks. I suppose that is the right way to fix it. But I'll add the
"NULL" to the message, otherwise it doesn't look right.
I'll also add a test for this.
--
It was recently discovered that research causes cancer in rats.
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
