Dominique wrote:
> afl-fuzz found this case which causes use of
> free memory in window.c in Vim-7.4.1662 and older.
>
> Steps to reproduce:
>
> $ cat bug.vim
> sp
> vimgrep /x/ f
> wincmd T
> wincmd p
>
> $ valgrind ./vim -u NONE -S bug.vim -c qa 2> valgrind.log
>
> And valgrind says:
>
> ==5044== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
> ==5044== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
> ==5044== Command: ./vim -u NONE -S bug.vim -c qa
> ==5044==
> ==5044== Invalid read of size 8
> ==5044== at 0x63099D: win_goto (window.c:4043)
> ==5044== by 0x63422D: do_window (window.c:218)
> ==5044== by 0x49287F: ex_wincmd (ex_docmd.c:8978)
> ==5044== by 0x49A987: do_one_cmd (ex_docmd.c:2921)
> ==5044== by 0x49E3EC: do_cmdline (ex_docmd.c:1107)
> ==5044== by 0x48B34E: do_source (ex_cmds2.c:3896)
> ==5044== by 0x48C1E3: cmd_source (ex_cmds2.c:3509)
> ==5044== by 0x48C1E3: ex_source (ex_cmds2.c:3484)
> ==5044== by 0x49A987: do_one_cmd (ex_docmd.c:2921)
> ==5044== by 0x49FE89: do_cmdline.constprop.44 (ex_docmd.c:1107)
> ==5044== by 0x413CB9: exe_commands (main.c:2930)
> ==5044== by 0x413CB9: main (main.c:955)
> ==5044== Address 0xdd19838 is 8 bytes inside a block of size 5,600 free'd
> ==5044== at 0x4C2BDEC: free (in
> /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==5044== by 0x62758C: win_free (window.c:4632)
> ==5044== by 0x6336E1: win_free_mem (window.c:2517)
> ==5044== by 0x6336E1: win_close (window.c:2368)
> ==5044== by 0x634FB6: do_window (window.c:321)
> ==5044== by 0x49287F: ex_wincmd (ex_docmd.c:8978)
> ==5044== by 0x49A987: do_one_cmd (ex_docmd.c:2921)
> ==5044== by 0x49E3EC: do_cmdline (ex_docmd.c:1107)
> ==5044== by 0x48B34E: do_source (ex_cmds2.c:3896)
> ==5044== by 0x48C1E3: cmd_source (ex_cmds2.c:3509)
> ==5044== by 0x48C1E3: ex_source (ex_cmds2.c:3484)
> ==5044== by 0x49A987: do_one_cmd (ex_docmd.c:2921)
> ==5044== by 0x49FE89: do_cmdline.constprop.44 (ex_docmd.c:1107)
> ==5044== by 0x413CB9: exe_commands (main.c:2930)
> ==5044== by 0x413CB9: main (main.c:955)
> (more errors after that)
Thanks.
--
hundred-and-one symptoms of being an internet addict:
136. You decide to stay in a low-paying job teaching just for the
free Internet access.
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
