Dominique wrote:
> afl-fuzz found this command which crashes vim-7.4.2232:
>
> $ vim -u NONE -c "echo funcref('{')"
> Vim: Caught deadly signal SEGV
> Vim: Finished.
> Segmentation fault (core dumped)
>
> In gdb:
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x00000000004c1e26 in hash_hash (key=0x0) at hashtab.c:470
>
> (gdb) bt
> #0 0x00000000004c1e26 in hash_hash (key=0x0) at hashtab.c:470
> #1 0x00000000004c164f in hash_find (ht=0x8ca240 <func_hashtab>,
> key=0x0) at hashtab.c:120
> #2 0x00000000005e284e in find_func (name=0x0) at userfunc.c:549
> #3 0x000000000044ee36 in common_function (argvars=0x7fffffffcea0,
> rettv=0x7fffffffd4b0, is_funcref=1) at evalfunc.c:3
> 735
> #4 0x000000000044ef0f in f_funcref (argvars=0x7fffffffcea0,
> rettv=0x7fffffffd4b0) at evalfunc.c:3766
> #5 0x0000000000449fb2 in call_internal_func (name=0x929620 "funcref",
> argcount=1, argvars=0x7fffffffcea0, rettv=0x7ff
> fffffd4b0) at evalfunc.c:997
> #6 0x00000000005e4702 in call_func (funcname=0x8e89b5
> "funcref('{')vim", len=7, rettv=0x7fffffffd4b0, argcount_in=1,
> argvars_in=0x7fffffffcea0, argv_func=0x0, firstline=1, lastline=1,
> doesrange=0x7fffffffd04c, evaluate=1, partial=0x0,
> selfdict_in=0x0) at userfunc.c:1372
> #7 0x00000000005e2582 in get_func_tv (name=0x8e89b5
> "funcref('{')vim", len=7, rettv=0x7fffffffd4b0, arg=0x7fffffffd49
> 8, firstline=1, lastline=1, doesrange=0x7fffffffd04c, evaluate=1,
> partial=0x0, selfdict=0x0) at userfunc.c:455
> #8 0x000000000043f7d6 in eval7 (arg=0x7fffffffd498,
> rettv=0x7fffffffd4b0, evaluate=1, want_string=0) at eval.c:4343
> #9 0x000000000043f011 in eval6 (arg=0x7fffffffd498,
> rettv=0x7fffffffd4b0, evaluate=1, want_string=0) at eval.c:3977
> #10 0x000000000043eaf4 in eval5 (arg=0x7fffffffd498,
> rettv=0x7fffffffd4b0, evaluate=1) at eval.c:3793
> #11 0x000000000043ddb8 in eval4 (arg=0x7fffffffd498,
> rettv=0x7fffffffd4b0, evaluate=1) at eval.c:3492
> #12 0x000000000043dbf6 in eval3 (arg=0x7fffffffd498,
> rettv=0x7fffffffd4b0, evaluate=1) at eval.c:3409
> #13 0x000000000043da6f in eval2 (arg=0x7fffffffd498,
> rettv=0x7fffffffd4b0, evaluate=1) at eval.c:3341
> #14 0x000000000043d8a6 in eval1 (arg=0x7fffffffd498,
> rettv=0x7fffffffd4b0, evaluate=1) at eval.c:3269
> #15 0x0000000000446086 in ex_echo (eap=0x7fffffffd5f0) at eval.c:8178
> #16 0x000000000047aa70 in do_one_cmd (cmdlinep=0x7fffffffd710,
> sourcing=1, cstack=0x7fffffffd800, fgetline=0x0, cookie
> =0x0) at ex_docmd.c:2925
> #17 0x000000000047775c in do_cmdline (cmdline=0x7fffffffe252 "echo
> funcref('{')vim", fgetline=0x0, cookie=0x0, flags=1
> 1) at ex_docmd.c:1110
> #18 0x0000000000476d98 in do_cmdline_cmd (cmd=0x7fffffffe252 "echo
> funcref('{')vim") at ex_docmd.c:715
> #19 0x00000000006236e1 in exe_commands (parmp=0x8cae40 <params>) at
> main.c:2896
> #20 0x000000000062080e in vim_main2 () at main.c:781
> #21 0x000000000062010f in main (argc=9, argv=0x7fffffffde58) at main.c:415
>
> (gdb) up
> #1 0x00000000004c164f in hash_find (ht=0x8ca240 <func_hashtab>,
> key=0x0) at hashtab.c:120
> (gdb) up
> #2 0x00000000005e284e in find_func (name=0x0) at userfunc.c:549
> (gdb) up
> #3 0x000000000044ee36 in common_function (argvars=0x7fffffffcea0,
> rettv=0x7fffffffd4b0, is_funcref=1) at evalfunc.c:3735
>
> evalfunc.c:
>
> 3733│ else if (is_funcref)
> 3734│ {
> 3735├> pt->pt_func = find_func(trans_name);
> 3736│ func_ptr_ref(pt->pt_func);
> 3737│ vim_free(name);
> 3738│ }
>
> (gdb) p trans_name
> $1 = (char_u *) 0x0
>
> So we have a funcref with trans_name being NULL
> at evalfunc.c:3735. The current error checking looks
> complex in this function, so I'm not sure how to fix it.
Thanks for the report. I think the best way is to check trans_name not
to be NULL quite early. I'll make a patch.
--
Never overestimate a man's ability to underestimate a woman.
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
