Dominique Pellé wrote:
> afl-fuzz found this case which causes vim-8.0.81 and
> older to use free memory:
>
> $ cat >use-free-mem.vim <<EOF
> tabedit X
> tabfirst
> copen
> only
> echo win_getid(1, 1)
> EOF
>
> $ valgrind vim -u NONE -S use-free-mem.vim -cqa 2> vg.log
>
> And vg.log contains:
>
> ==11501== Memcheck, a memory error detector
> ==11501== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
> ==11501== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright
> info
> ==11501== Command: vim -u NONE -S use-free-mem.vim -cqa
> ==11501==
> ==11501== Invalid read of size 4
> ==11501== at 0x635043: win_getid (window.c:7140)
> ==11501== by 0x45DCE8: f_win_getid (evalfunc.c:5253)
> ==11501== by 0x44C39D: call_internal_func (evalfunc.c:999)
> ==11501== by 0x61F27D: call_func (userfunc.c:1372)
> ==11501== by 0x61EB33: get_func_tv (userfunc.c:455)
> ==11501== by 0x44B205: eval7 (eval.c:4343)
> ==11501== by 0x44A85E: eval6 (eval.c:3977)
> ==11501== by 0x44A424: eval5 (eval.c:3793)
> ==11501== by 0x44977A: eval4 (eval.c:3492)
> ==11501== by 0x449589: eval3 (eval.c:3409)
> ==11501== by 0x43F2C9: eval2 (eval.c:3341)
> ==11501== by 0x43ACF2: eval1 (eval.c:3269)
> ==11501== Address 0x759ed90 is 0 bytes inside a block of size 6,256 free'd
> ==11501== at 0x4C2BCEF: free (vg_replace_malloc.c:530)
> ==11501== by 0x50CF6D: vim_free (misc2.c:1727)
> ==11501== by 0x62C607: win_free (window.c:4693)
> ==11501== by 0x62F72D: win_free_mem (window.c:2573)
> ==11501== by 0x629BB2: win_close (window.c:2420)
> ==11501== by 0x630239: close_others (window.c:3372)
> ==11501== by 0x4921C3: ex_only (ex_docmd.c:7556)
> ==11501== by 0x483B37: do_one_cmd (ex_docmd.c:2960)
> ==11501== by 0x47F8DF: do_cmdline (ex_docmd.c:1110)
> ==11501== by 0x47D1D8: do_source (ex_cmds2.c:4111)
> ==11501== by 0x47C856: cmd_source (ex_cmds2.c:3724)
> ==11501== by 0x47C8AB: ex_source (ex_cmds2.c:3699)
> ==11501== Block was alloc'd at
> ==11501== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299)
> ==11501== by 0x50C84A: lalloc (misc2.c:942)
> ==11501== by 0x50C9D7: alloc_clear (misc2.c:864)
> ==11501== by 0x62C11A: win_alloc (window.c:4493)
> ==11501== by 0x630469: win_alloc_firstwin (window.c:3472)
> ==11501== by 0x6303D0: win_alloc_first (window.c:3430)
> ==11501== by 0x649158: common_init (main.c:983)
> ==11501== by 0x648B8A: main (main.c:173)
> ==11501==
> ==11501==
> ==11501== HEAP SUMMARY:
> ==11501== in use at exit: 104,856 bytes in 428 blocks
> ==11501== total heap usage: 6,712 allocs, 6,284 frees, 745,664 bytes
> allocated
> ==11501==
> ==11501== LEAK SUMMARY:
> ==11501== definitely lost: 5,336 bytes in 3 blocks
> ==11501== indirectly lost: 43,698 bytes in 64 blocks
> ==11501== possibly lost: 0 bytes in 0 blocks
> ==11501== still reachable: 55,822 bytes in 361 blocks
> ==11501== suppressed: 0 bytes in 0 blocks
> ==11501== Rerun with --leak-check=full to see details of leaked memory
> ==11501==
> ==11501== For counts of detected and suppressed errors, rerun with: -v
> ==11501== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Thanks, I'll fix it.
--
Anyone who is capable of getting themselves made President should on no
account be allowed to do the job.
-- Douglas Adams, "The Hitchhiker's Guide to the Galaxy"
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
