Dominique wrote:
> afl-fuzz found another use of free memory in
> Vim-7.4.1646 and older in quickfix.c.
>
> Steps to reproduce:
>
> $ cat crash.vim
> helpgr quickfix
> call setqflist([], 'r')
> cad
> cn
>
> $ vim -u NONE -S crash.vim
> Vim: Caught deadly signal SEGV
>
> Vim: Finished.
> Segmentation fault (core dumped)
>
> Valgrind says:
>
> ==8658== Memcheck, a memory error detector
> ==8658== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
> ==8658== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
> ==8658== Command: ./vim -u NONE -S crash.vim
> ==8658== Parent PID: 3917
> ==8658==
> ==8658== Invalid read of size 4
> ==8658== at 0x57C0DA: qf_jump (quickfix.c:1510)
> ==8658== by 0x49A947: do_one_cmd (ex_docmd.c:2921)
> ==8658== by 0x49E3AC: do_cmdline (ex_docmd.c:1107)
> ==8658== by 0x48B30E: do_source (ex_cmds2.c:3896)
> ==8658== by 0x48C1A3: cmd_source (ex_cmds2.c:3509)
> ==8658== by 0x48C1A3: ex_source (ex_cmds2.c:3484)
> ==8658== by 0x49A947: do_one_cmd (ex_docmd.c:2921)
> ==8658== by 0x49FE49: do_cmdline.constprop.44 (ex_docmd.c:1107)
> ==8658== by 0x413CB9: exe_commands (main.c:2927)
> ==8658== by 0x413CB9: main (main.c:955)
> ==8658== Address 0xf7a8f28 is 24 bytes inside a block of size 64 free'd
> ==8658== at 0x4C2BDEC: free (in
> /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==8658== by 0x580D12: qf_free (quickfix.c:2197)
> ==8658== by 0x580D12: set_errorlist (quickfix.c:4043)
> ==8658== by 0x455509: set_qf_ll_list (eval.c:17957)
> ==8658== by 0x455509: f_setqflist (eval.c:18142)
> ==8658== by 0x4636C1: call_func (eval.c:8968)
> ==8658== by 0x46ADF8: get_func_tv (eval.c:8727)
> ==8658== by 0x46F12B: ex_call (eval.c:3538)
> ==8658== by 0x49A947: do_one_cmd (ex_docmd.c:2921)
> ==8658== by 0x49E3AC: do_cmdline (ex_docmd.c:1107)
> ==8658== by 0x48B30E: do_source (ex_cmds2.c:3896)
> ==8658== by 0x48C1A3: cmd_source (ex_cmds2.c:3509)
> ==8658== by 0x48C1A3: ex_source (ex_cmds2.c:3484)
> ==8658== by 0x49A947: do_one_cmd (ex_docmd.c:2921)
> ==8658== by 0x49FE49: do_cmdline.constprop.44 (ex_docmd.c:1107)
> ==8658== by 0x413CB9: exe_commands (main.c:2927)
> ==8658== by 0x413CB9: main (main.c:955)
> (and more errors after that)
That quickfix code is a bit brittle. Anyway, found a way to avoid this
problem. Can use the reproducing steps for a test.
--
hundred-and-one symptoms of being an internet addict:
116. You are living with your boyfriend who networks your respective
computers so you can sit in separate rooms and email each other
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
