Hi afl-fuzz found a use of free memory in Vim-7.4.2321 and older. The script contains errors, but it should not cause vim to access freed memory:
$ cat bug.vim func Foo() let l = getli|e() endfunc set formatexpr=Foo() norm gqG $ valgrind --num-callers=50 vim -u NONE -S bug.vim -c q 2>log And log contains: ==5251== Memcheck, a memory error detector ==5251== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==5251== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info ==5251== Command: ./vim -u NONE -S bug.vim -c q ==5251== ==5251== Invalid read of size 1 ==5251== at 0x415972: skipwhite (charset.c:1522) ==5251== by 0x5D1CE8: get_func_tv (userfunc.c:471) ==5251== by 0x436B7B: eval7 (eval.c:4343) ==5251== by 0x4363B6: eval6 (eval.c:3977) ==5251== by 0x435E99: eval5 (eval.c:3793) ==5251== by 0x43515D: eval4 (eval.c:3492) ==5251== by 0x434F9B: eval3 (eval.c:3409) ==5251== by 0x434E14: eval2 (eval.c:3341) ==5251== by 0x434C4B: eval1 (eval.c:3269) ==5251== by 0x42FF64: eval_to_number (eval.c:803) ==5251== by 0x50F737: fex_format (ops.c:4758) ==5251== by 0x50F6A4: op_formatexpr (ops.c:4729) ==5251== by 0x4F9488: do_pending_operator (normal.c:1982) ==5251== by 0x4F7C2D: normal_cmd (normal.c:1182) ==5251== by 0x47DF5C: exec_normal (ex_docmd.c:10250) ==5251== by 0x47DF1B: exec_normal_cmd (ex_docmd.c:10233) ==5251== by 0x47DD2D: ex_normal (ex_docmd.c:10142) ==5251== by 0x4718D4: do_one_cmd (ex_docmd.c:2962) ==5251== by 0x46E355: do_cmdline (ex_docmd.c:1110) ==5251== by 0x46C017: do_source (ex_cmds2.c:4097) ==5251== by 0x46B629: cmd_source (ex_cmds2.c:3710) ==5251== by 0x46B57B: ex_source (ex_cmds2.c:3685) ==5251== by 0x4718D4: do_one_cmd (ex_docmd.c:2962) ==5251== by 0x46E355: do_cmdline (ex_docmd.c:1110) ==5251== by 0x46D991: do_cmdline_cmd (ex_docmd.c:715) ==5251== by 0x5FA0F2: exe_commands (main.c:2896) ==5251== by 0x5F74D7: vim_main2 (main.c:781) ==5251== by 0x5F6E81: main (main.c:415) ==5251== Address 0x76c0eb5 is 5 bytes inside a block of size 6 free'd ==5251== at 0x4C2BCEF: free (vg_replace_malloc.c:530) ==5251== by 0x4E787B: vim_free (misc2.c:1705) ==5251== by 0x51929E: clear_string_option (option.c:5573) ==5251== by 0x40988B: free_buf_options (buffer.c:2112) ==5251== by 0x522B3A: buf_copy_options (option.c:10732) ==5251== by 0x409469: buflist_new (buffer.c:1974) ==5251== by 0x45C9F1: do_ecmd (ex_cmds.c:3855) ==5251== by 0x47B720: do_exedit (ex_docmd.c:8591) ==5251== by 0x47B3B6: ex_edit (ex_docmd.c:8487) ==5251== by 0x4718D4: do_one_cmd (ex_docmd.c:2962) ==5251== by 0x46E355: do_cmdline (ex_docmd.c:1110) ==5251== by 0x5D2D5B: call_user_func (userfunc.c:893) ==5251== by 0x5D3E05: call_func (userfunc.c:1353) ==5251== by 0x5D1C4E: get_func_tv (userfunc.c:455) ==5251== by 0x436B7B: eval7 (eval.c:4343) ==5251== by 0x4363B6: eval6 (eval.c:3977) ==5251== by 0x435E99: eval5 (eval.c:3793) ==5251== by 0x43515D: eval4 (eval.c:3492) ==5251== by 0x434F9B: eval3 (eval.c:3409) ==5251== by 0x434E14: eval2 (eval.c:3341) ==5251== by 0x434C4B: eval1 (eval.c:3269) ==5251== by 0x42FF64: eval_to_number (eval.c:803) ==5251== by 0x50F737: fex_format (ops.c:4758) ==5251== by 0x50F6A4: op_formatexpr (ops.c:4729) ==5251== by 0x4F9488: do_pending_operator (normal.c:1982) ==5251== by 0x4F7C2D: normal_cmd (normal.c:1182) ==5251== by 0x47DF5C: exec_normal (ex_docmd.c:10250) ==5251== by 0x47DF1B: exec_normal_cmd (ex_docmd.c:10233) ==5251== by 0x47DD2D: ex_normal (ex_docmd.c:10142) ==5251== by 0x4718D4: do_one_cmd (ex_docmd.c:2962) ==5251== by 0x46E355: do_cmdline (ex_docmd.c:1110) ==5251== by 0x46C017: do_source (ex_cmds2.c:4097) ==5251== by 0x46B629: cmd_source (ex_cmds2.c:3710) ==5251== by 0x46B57B: ex_source (ex_cmds2.c:3685) ==5251== by 0x4718D4: do_one_cmd (ex_docmd.c:2962) ==5251== by 0x46E355: do_cmdline (ex_docmd.c:1110) ==5251== by 0x46D991: do_cmdline_cmd (ex_docmd.c:715) ==5251== by 0x5FA0F2: exe_commands (main.c:2896) ==5251== by 0x5F74D7: vim_main2 (main.c:781) ==5251== by 0x5F6E81: main (main.c:415) ==5251== Block was alloc'd at ==5251== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299) ==5251== by 0x4E699B: lalloc (misc2.c:920) ==5251== by 0x4E6868: alloc (misc2.c:818) ==5251== by 0x517883: do_set (option.c:4772) ==5251== by 0x480F81: ex_set (ex_docmd.c:12037) ==5251== by 0x4718D4: do_one_cmd (ex_docmd.c:2962) ==5251== by 0x46E355: do_cmdline (ex_docmd.c:1110) ==5251== by 0x46C017: do_source (ex_cmds2.c:4097) ==5251== by 0x46B629: cmd_source (ex_cmds2.c:3710) ==5251== by 0x46B57B: ex_source (ex_cmds2.c:3685) ==5251== by 0x4718D4: do_one_cmd (ex_docmd.c:2962) ==5251== by 0x46E355: do_cmdline (ex_docmd.c:1110) ==5251== by 0x46D991: do_cmdline_cmd (ex_docmd.c:715) ==5251== by 0x5FA0F2: exe_commands (main.c:2896) ==5251== by 0x5F74D7: vim_main2 (main.c:781) ==5251== by 0x5F6E81: main (main.c:415) (...snip many other errors...) It's an old bug: at least vim-7.4.52 that comes with xubuntu-14.04 was already affected. I did not try older versions. No patch and I find it hard to see what's going here. Regards Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
