Hi
afl-fuzz found another crash with use of freed memory in vim-7.4.1627
(and older) in quickfix code. This is a different bug that the one fixed
recently in Vim-7.4.1592:
$ cat > crash.vim <<EOF
fun! R()
lolder
lgetexpr []
endfun
autocmd BufReadCmd * call R()
let words = [ "a", "b" ]
let qflist = []
for word in words
call add(qflist, {'filename': 't'})
call setloclist(0, qflist, ' ')
endfor
lrewind
EOF
$ vim -u NONE -N -S crash.vim
Vim: Caught deadly signal SEGV
Vim: Finished.
Segmentation fault
Valgrind says:
==28906== Memcheck, a memory error detector
==28906== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==28906== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==28906== Command: ./vim -u NONE -N -S c.vim
==28906==
==28906== Invalid read of size 8
==28906== at 0x53891F: qf_jump (quickfix.c:1817)
==28906== by 0x53B793: ex_cc (quickfix.c:3150)
==28906== by 0x475E5D: do_one_cmd (ex_docmd.c:2921)
==28906== by 0x472A45: do_cmdline (ex_docmd.c:1107)
==28906== by 0x47073B: do_source (ex_cmds2.c:3896)
==28906== by 0x46FD43: cmd_source (ex_cmds2.c:3509)
==28906== by 0x46FC94: ex_source (ex_cmds2.c:3484)
==28906== by 0x475E5D: do_one_cmd (ex_docmd.c:2921)
==28906== by 0x472A45: do_cmdline (ex_docmd.c:1107)
==28906== by 0x472081: do_cmdline_cmd (ex_docmd.c:712)
==28906== by 0x5F5D1E: exe_commands (main.c:2927)
==28906== by 0x5F320B: main (main.c:955)
==28906== Address 0x791e0a8 is 40 bytes inside a block of size 64 free'd
==28906== at 0x4C2CE2B: free (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28906== by 0x4ED684: vim_free (misc2.c:1695)
==28906== by 0x539723: qf_free (quickfix.c:2154)
==28906== by 0x536DCB: qf_new_list (quickfix.c:915)
==28906== by 0x534EF4: qf_init_ext (quickfix.c:266)
==28906== by 0x53DBD6: ex_cexpr (quickfix.c:4173)
==28906== by 0x475E5D: do_one_cmd (ex_docmd.c:2921)
==28906== by 0x472A45: do_cmdline (ex_docmd.c:1107)
==28906== by 0x458E73: call_user_func (eval.c:24968)
==28906== by 0x43AD50: call_func (eval.c:8897)
==28906== by 0x43A622: get_func_tv (eval.c:8686)
==28906== by 0x431FD9: ex_call (eval.c:3536)
==28906== by 0x475E5D: do_one_cmd (ex_docmd.c:2921)
==28906== by 0x472A45: do_cmdline (ex_docmd.c:1107)
==28906== by 0x4A338E: apply_autocmds_group (fileio.c:9451)
==28906== by 0x4A2B18: apply_autocmds_exarg (fileio.c:9018)
==28906== by 0x495847: readfile (fileio.c:375)
==28906== by 0x4059F1: open_buffer (buffer.c:151)
==28906== by 0x461EC9: do_ecmd (ex_cmds.c:3768)
==28906== by 0x461265: getfile (ex_cmds.c:3190)
==28906== by 0x408A7D: buflist_getfile (buffer.c:2094)
==28906== by 0x538899: qf_jump (quickfix.c:1797)
==28906== by 0x53B793: ex_cc (quickfix.c:3150)
==28906== by 0x475E5D: do_one_cmd (ex_docmd.c:2921)
==28906== by 0x472A45: do_cmdline (ex_docmd.c:1107)
==28906== by 0x47073B: do_source (ex_cmds2.c:3896)
==28906== by 0x46FD43: cmd_source (ex_cmds2.c:3509)
==28906== by 0x46FC94: ex_source (ex_cmds2.c:3484)
==28906== by 0x475E5D: do_one_cmd (ex_docmd.c:2921)
==28906== by 0x472A45: do_cmdline (ex_docmd.c:1107)
==28906== by 0x472081: do_cmdline_cmd (ex_docmd.c:712)
==28906== by 0x5F5D1E: exe_commands (main.c:2927)
==28906== by 0x5F320B: main (main.c:955)
==28906== Block was alloc'd at
==28906== at 0x4C2BBCF: malloc (in
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==28906== by 0x4ECAC5: lalloc (misc2.c:920)
==28906== by 0x4EC992: alloc (misc2.c:818)
==28906== by 0x537000: qf_add_entry (quickfix.c:998)
==28906== by 0x53D6BD: set_errorlist (quickfix.c:4042)
==28906== by 0x44AB6E: set_qf_ll_list (eval.c:17940)
==28906== by 0x44ABE0: f_setloclist (eval.c:17959)
==28906== by 0x43AECE: call_func (eval.c:8927)
==28906== by 0x43A622: get_func_tv (eval.c:8686)
==28906== by 0x431FD9: ex_call (eval.c:3536)
==28906== by 0x475E5D: do_one_cmd (ex_docmd.c:2921)
==28906== by 0x472A45: do_cmdline (ex_docmd.c:1107)
==28906== by 0x47073B: do_source (ex_cmds2.c:3896)
==28906== by 0x46FD43: cmd_source (ex_cmds2.c:3509)
==28906== by 0x46FC94: ex_source (ex_cmds2.c:3484)
==28906== by 0x475E5D: do_one_cmd (ex_docmd.c:2921)
==28906== by 0x472A45: do_cmdline (ex_docmd.c:1107)
==28906== by 0x472081: do_cmdline_cmd (ex_docmd.c:712)
==28906== by 0x5F5D1E: exe_commands (main.c:2927)
==28906== by 0x5F320B: main (main.c:955)
(more errors after that)
Regards
Dominique
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
