Hi afl-fuzz found another use of free memory in Vim-7.4.1646 and older in quickfix.c.
Steps to reproduce: $ cat crash.vim helpgr quickfix call setqflist([], 'r') cad cn $ vim -u NONE -S crash.vim Vim: Caught deadly signal SEGV Vim: Finished. Segmentation fault (core dumped) Valgrind says: ==8658== Memcheck, a memory error detector ==8658== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==8658== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==8658== Command: ./vim -u NONE -S crash.vim ==8658== Parent PID: 3917 ==8658== ==8658== Invalid read of size 4 ==8658== at 0x57C0DA: qf_jump (quickfix.c:1510) ==8658== by 0x49A947: do_one_cmd (ex_docmd.c:2921) ==8658== by 0x49E3AC: do_cmdline (ex_docmd.c:1107) ==8658== by 0x48B30E: do_source (ex_cmds2.c:3896) ==8658== by 0x48C1A3: cmd_source (ex_cmds2.c:3509) ==8658== by 0x48C1A3: ex_source (ex_cmds2.c:3484) ==8658== by 0x49A947: do_one_cmd (ex_docmd.c:2921) ==8658== by 0x49FE49: do_cmdline.constprop.44 (ex_docmd.c:1107) ==8658== by 0x413CB9: exe_commands (main.c:2927) ==8658== by 0x413CB9: main (main.c:955) ==8658== Address 0xf7a8f28 is 24 bytes inside a block of size 64 free'd ==8658== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==8658== by 0x580D12: qf_free (quickfix.c:2197) ==8658== by 0x580D12: set_errorlist (quickfix.c:4043) ==8658== by 0x455509: set_qf_ll_list (eval.c:17957) ==8658== by 0x455509: f_setqflist (eval.c:18142) ==8658== by 0x4636C1: call_func (eval.c:8968) ==8658== by 0x46ADF8: get_func_tv (eval.c:8727) ==8658== by 0x46F12B: ex_call (eval.c:3538) ==8658== by 0x49A947: do_one_cmd (ex_docmd.c:2921) ==8658== by 0x49E3AC: do_cmdline (ex_docmd.c:1107) ==8658== by 0x48B30E: do_source (ex_cmds2.c:3896) ==8658== by 0x48C1A3: cmd_source (ex_cmds2.c:3509) ==8658== by 0x48C1A3: ex_source (ex_cmds2.c:3484) ==8658== by 0x49A947: do_one_cmd (ex_docmd.c:2921) ==8658== by 0x49FE49: do_cmdline.constprop.44 (ex_docmd.c:1107) ==8658== by 0x413CB9: exe_commands (main.c:2927) ==8658== by 0x413CB9: main (main.c:955) (and more errors after that) Regards Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
