Hi
afl-fuzz found this command which crashes vim-7.4.2232:
$ vim -u NONE -c "echo funcref('{')"
Vim: Caught deadly signal SEGV
Vim: Finished.
Segmentation fault (core dumped)
In gdb:
Program received signal SIGSEGV, Segmentation fault.
0x00000000004c1e26 in hash_hash (key=0x0) at hashtab.c:470
(gdb) bt
#0 0x00000000004c1e26 in hash_hash (key=0x0) at hashtab.c:470
#1 0x00000000004c164f in hash_find (ht=0x8ca240 <func_hashtab>,
key=0x0) at hashtab.c:120
#2 0x00000000005e284e in find_func (name=0x0) at userfunc.c:549
#3 0x000000000044ee36 in common_function (argvars=0x7fffffffcea0,
rettv=0x7fffffffd4b0, is_funcref=1) at evalfunc.c:3
735
#4 0x000000000044ef0f in f_funcref (argvars=0x7fffffffcea0,
rettv=0x7fffffffd4b0) at evalfunc.c:3766
#5 0x0000000000449fb2 in call_internal_func (name=0x929620 "funcref",
argcount=1, argvars=0x7fffffffcea0, rettv=0x7ff
fffffd4b0) at evalfunc.c:997
#6 0x00000000005e4702 in call_func (funcname=0x8e89b5
"funcref('{')vim", len=7, rettv=0x7fffffffd4b0, argcount_in=1,
argvars_in=0x7fffffffcea0, argv_func=0x0, firstline=1, lastline=1,
doesrange=0x7fffffffd04c, evaluate=1, partial=0x0,
selfdict_in=0x0) at userfunc.c:1372
#7 0x00000000005e2582 in get_func_tv (name=0x8e89b5
"funcref('{')vim", len=7, rettv=0x7fffffffd4b0, arg=0x7fffffffd49
8, firstline=1, lastline=1, doesrange=0x7fffffffd04c, evaluate=1,
partial=0x0, selfdict=0x0) at userfunc.c:455
#8 0x000000000043f7d6 in eval7 (arg=0x7fffffffd498,
rettv=0x7fffffffd4b0, evaluate=1, want_string=0) at eval.c:4343
#9 0x000000000043f011 in eval6 (arg=0x7fffffffd498,
rettv=0x7fffffffd4b0, evaluate=1, want_string=0) at eval.c:3977
#10 0x000000000043eaf4 in eval5 (arg=0x7fffffffd498,
rettv=0x7fffffffd4b0, evaluate=1) at eval.c:3793
#11 0x000000000043ddb8 in eval4 (arg=0x7fffffffd498,
rettv=0x7fffffffd4b0, evaluate=1) at eval.c:3492
#12 0x000000000043dbf6 in eval3 (arg=0x7fffffffd498,
rettv=0x7fffffffd4b0, evaluate=1) at eval.c:3409
#13 0x000000000043da6f in eval2 (arg=0x7fffffffd498,
rettv=0x7fffffffd4b0, evaluate=1) at eval.c:3341
#14 0x000000000043d8a6 in eval1 (arg=0x7fffffffd498,
rettv=0x7fffffffd4b0, evaluate=1) at eval.c:3269
#15 0x0000000000446086 in ex_echo (eap=0x7fffffffd5f0) at eval.c:8178
#16 0x000000000047aa70 in do_one_cmd (cmdlinep=0x7fffffffd710,
sourcing=1, cstack=0x7fffffffd800, fgetline=0x0, cookie
=0x0) at ex_docmd.c:2925
#17 0x000000000047775c in do_cmdline (cmdline=0x7fffffffe252 "echo
funcref('{')vim", fgetline=0x0, cookie=0x0, flags=1
1) at ex_docmd.c:1110
#18 0x0000000000476d98 in do_cmdline_cmd (cmd=0x7fffffffe252 "echo
funcref('{')vim") at ex_docmd.c:715
#19 0x00000000006236e1 in exe_commands (parmp=0x8cae40 <params>) at main.c:2896
#20 0x000000000062080e in vim_main2 () at main.c:781
#21 0x000000000062010f in main (argc=9, argv=0x7fffffffde58) at main.c:415
(gdb) up
#1 0x00000000004c164f in hash_find (ht=0x8ca240 <func_hashtab>,
key=0x0) at hashtab.c:120
(gdb) up
#2 0x00000000005e284e in find_func (name=0x0) at userfunc.c:549
(gdb) up
#3 0x000000000044ee36 in common_function (argvars=0x7fffffffcea0,
rettv=0x7fffffffd4b0, is_funcref=1) at evalfunc.c:3735
evalfunc.c:
3733│ else if (is_funcref)
3734│ {
3735├> pt->pt_func = find_func(trans_name);
3736│ func_ptr_ref(pt->pt_func);
3737│ vim_free(name);
3738│ }
(gdb) p trans_name
$1 = (char_u *) 0x0
So we have a funcref with trans_name being NULL
at evalfunc.c:3735. The current error checking looks
complex in this function, so I'm not sure how to fix it.
Regards
Dominique
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
