Hi
afl-fuzz found another case which causes
use of free memory in vim-8.0.82 and older.
Steps to reproduce it:
$ cat >use-free-mem.vim <<EOF
lexpr 0
lopen
fun X(c)
let save_efm=&efm
set efm=%D%f
if a:c == 'c'
caddexpr '::'
else
laddexpr ':0:0'
endif
let &efm=save_efm
endfun
call X('c')
call X('l')
call setqflist([], 'r')
cad
EOF
$ valgrind vim -u NONE -S use-free-mem.vim -cqa 2> vg.log
vg.log contains:
==17976== Memcheck, a memory error detector
==17976== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==17976== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright
info
==17976== Command: vim -u NONE -S use-free-mem.vim -cqa
==17976==
==17976== Invalid read of size 1
==17976== at 0x4C2D9F2: strlen (vg_replace_strmem.c:454)
==17976== by 0x5002BB: concat_fnames (misc1.c:5122)
==17976== by 0x56F171: qf_get_fnum (quickfix.c:1642)
==17976== by 0x564220: qf_add_entry (quickfix.c:1415)
==17976== by 0x5637FA: qf_init_ext (quickfix.c:1230)
==17976== by 0x56BD52: ex_cbuffer (quickfix.c:4924)
==17976== by 0x483B37: do_one_cmd (ex_docmd.c:2960)
==17976== by 0x47F8DF: do_cmdline (ex_docmd.c:1110)
==17976== by 0x47D1D8: do_source (ex_cmds2.c:4111)
==17976== by 0x47C856: cmd_source (ex_cmds2.c:3724)
==17976== by 0x47C8AB: ex_source (ex_cmds2.c:3699)
==17976== by 0x483B37: do_one_cmd (ex_docmd.c:2960)
==17976== by 0x47F8DF: do_cmdline (ex_docmd.c:1110)
==17976== by 0x480665: do_cmdline_cmd (ex_docmd.c:715)
==17976== by 0x64C8E1: exe_commands (main.c:2896)
==17976== by 0x64B5A0: vim_main2 (main.c:781)
==17976== by 0x648E93: main (main.c:415)
==17976== Address 0x76cb8b0 is 0 bytes inside a block of size 3 free'd
==17976== at 0x4C2BCEF: free (vg_replace_malloc.c:530)
==17976== by 0x50CF6D: vim_free (misc2.c:1727)
==17976== by 0x56CC1E: qf_clean_dir_stack (quickfix.c:1796)
==17976== by 0x563D24: qf_free (quickfix.c:2713)
==17976== by 0x56B487: qf_add_entries (quickfix.c:4682)
==17976== by 0x56B1EA: set_errorlist (quickfix.c:4843)
==17976== by 0x462787: set_qf_ll_list (evalfunc.c:9959)
==17976== by 0x459B66: f_setqflist (evalfunc.c:10146)
==17976== by 0x44C39D: call_internal_func (evalfunc.c:999)
==17976== by 0x61F27D: call_func (userfunc.c:1372)
==17976== by 0x61EB33: get_func_tv (userfunc.c:455)
==17976== by 0x624BF8: ex_call (userfunc.c:2981)
==17976== by 0x483B37: do_one_cmd (ex_docmd.c:2960)
==17976== by 0x47F8DF: do_cmdline (ex_docmd.c:1110)
==17976== by 0x47D1D8: do_source (ex_cmds2.c:4111)
==17976== by 0x47C856: cmd_source (ex_cmds2.c:3724)
==17976== by 0x47C8AB: ex_source (ex_cmds2.c:3699)
==17976== by 0x483B37: do_one_cmd (ex_docmd.c:2960)
==17976== by 0x47F8DF: do_cmdline (ex_docmd.c:1110)
==17976== by 0x480665: do_cmdline_cmd (ex_docmd.c:715)
==17976== by 0x64C8E1: exe_commands (main.c:2896)
==17976== by 0x64B5A0: vim_main2 (main.c:781)
==17976== by 0x648E93: main (main.c:415)
==17976== Block was alloc'd at
==17976== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299)
==17976== by 0x50C84A: lalloc (misc2.c:942)
==17976== by 0x50C7E7: alloc (misc2.c:840)
==17976== by 0x50CFA4: vim_strsave (misc2.c:1285)
==17976== by 0x56EEE7: qf_push_dir (quickfix.c:1711)
==17976== by 0x56D890: qf_parse_line (quickfix.c:980)
==17976== by 0x563676: qf_init_ext (quickfix.c:1221)
==17976== by 0x56C0A4: ex_cexpr (quickfix.c:4993)
==17976== by 0x483B37: do_one_cmd (ex_docmd.c:2960)
==17976== by 0x47F8DF: do_cmdline (ex_docmd.c:1110)
==17976== by 0x620725: call_user_func (userfunc.c:893)
==17976== by 0x61F1EB: call_func (userfunc.c:1353)
==17976== by 0x61EB33: get_func_tv (userfunc.c:455)
==17976== by 0x624BF8: ex_call (userfunc.c:2981)
==17976== by 0x483B37: do_one_cmd (ex_docmd.c:2960)
==17976== by 0x47F8DF: do_cmdline (ex_docmd.c:1110)
==17976== by 0x47D1D8: do_source (ex_cmds2.c:4111)
==17976== by 0x47C856: cmd_source (ex_cmds2.c:3724)
==17976== by 0x47C8AB: ex_source (ex_cmds2.c:3699)
==17976== by 0x483B37: do_one_cmd (ex_docmd.c:2960)
==17976== by 0x47F8DF: do_cmdline (ex_docmd.c:1110)
==17976== by 0x480665: do_cmdline_cmd (ex_docmd.c:715)
==17976== by 0x64C8E1: exe_commands (main.c:2896)
==17976== by 0x64B5A0: vim_main2 (main.c:781)
==17976== by 0x648E93: main (main.c:415)
...snip more errors...
I don't see this error with vim-7.4.52 that comes
with ubuntu-14.04, so it's a regression.
Doing a bissection, I see that:
Vim-7.4.1980 has the BUG
Vim-7.4.1979 is OK
So bug is introduced by Vim-7.4.1980:
===
commit 361c8f0e517e41f1f1d34dae328044406fde80ac
Author: Bram Moolenaar <[email protected]>
Date: Sat Jul 2 15:41:47 2016 +0200
patch 7.4.1980
Problem: 'errorformat' is parsed for every call to ":caddexpr".
Can't add
to two location lists asynchronously.
Solution: Keep the previously parsed data when appropriate. (mostly by
Yegappan Lakshmanan)
===
Regards
Dominique
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
