Hi afl-fuzz found this case which causes use of free memory in window.c in Vim-7.4.1662 and older.
Steps to reproduce: $ cat bug.vim sp vimgrep /x/ f wincmd T wincmd p $ valgrind ./vim -u NONE -S bug.vim -c qa 2> valgrind.log And valgrind says: ==5044== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==5044== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info ==5044== Command: ./vim -u NONE -S bug.vim -c qa ==5044== ==5044== Invalid read of size 8 ==5044== at 0x63099D: win_goto (window.c:4043) ==5044== by 0x63422D: do_window (window.c:218) ==5044== by 0x49287F: ex_wincmd (ex_docmd.c:8978) ==5044== by 0x49A987: do_one_cmd (ex_docmd.c:2921) ==5044== by 0x49E3EC: do_cmdline (ex_docmd.c:1107) ==5044== by 0x48B34E: do_source (ex_cmds2.c:3896) ==5044== by 0x48C1E3: cmd_source (ex_cmds2.c:3509) ==5044== by 0x48C1E3: ex_source (ex_cmds2.c:3484) ==5044== by 0x49A987: do_one_cmd (ex_docmd.c:2921) ==5044== by 0x49FE89: do_cmdline.constprop.44 (ex_docmd.c:1107) ==5044== by 0x413CB9: exe_commands (main.c:2930) ==5044== by 0x413CB9: main (main.c:955) ==5044== Address 0xdd19838 is 8 bytes inside a block of size 5,600 free'd ==5044== at 0x4C2BDEC: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==5044== by 0x62758C: win_free (window.c:4632) ==5044== by 0x6336E1: win_free_mem (window.c:2517) ==5044== by 0x6336E1: win_close (window.c:2368) ==5044== by 0x634FB6: do_window (window.c:321) ==5044== by 0x49287F: ex_wincmd (ex_docmd.c:8978) ==5044== by 0x49A987: do_one_cmd (ex_docmd.c:2921) ==5044== by 0x49E3EC: do_cmdline (ex_docmd.c:1107) ==5044== by 0x48B34E: do_source (ex_cmds2.c:3896) ==5044== by 0x48C1E3: cmd_source (ex_cmds2.c:3509) ==5044== by 0x48C1E3: ex_source (ex_cmds2.c:3484) ==5044== by 0x49A987: do_one_cmd (ex_docmd.c:2921) ==5044== by 0x49FE89: do_cmdline.constprop.44 (ex_docmd.c:1107) ==5044== by 0x413CB9: exe_commands (main.c:2930) ==5044== by 0x413CB9: main (main.c:955) (more errors after that) Regards Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
