Dominique Pellé wrote:
> afl-fuzz found another case which causes
> use of free memory in vim-8.0.82 and older.
>
> Steps to reproduce it:
>
> $ cat >use-free-mem.vim <<EOF
> lexpr 0
> lopen
> fun X(c)
> let save_efm=&efm
> set efm=%D%f
> if a:c == 'c'
> caddexpr '::'
> else
> laddexpr ':0:0'
> endif
> let &efm=save_efm
> endfun
> call X('c')
> call X('l')
> call setqflist([], 'r')
> cad
> EOF
>
> $ valgrind vim -u NONE -S use-free-mem.vim -cqa 2> vg.log
>
> vg.log contains:
>
> ==17976== Memcheck, a memory error detector
> ==17976== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
> ==17976== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright
> info
> ==17976== Command: vim -u NONE -S use-free-mem.vim -cqa
> ==17976==
> ==17976== Invalid read of size 1
> ==17976== at 0x4C2D9F2: strlen (vg_replace_strmem.c:454)
> ==17976== by 0x5002BB: concat_fnames (misc1.c:5122)
> ==17976== by 0x56F171: qf_get_fnum (quickfix.c:1642)
> ==17976== by 0x564220: qf_add_entry (quickfix.c:1415)
> ==17976== by 0x5637FA: qf_init_ext (quickfix.c:1230)
> ==17976== by 0x56BD52: ex_cbuffer (quickfix.c:4924)
> ==17976== by 0x483B37: do_one_cmd (ex_docmd.c:2960)
> ==17976== by 0x47F8DF: do_cmdline (ex_docmd.c:1110)
> ==17976== by 0x47D1D8: do_source (ex_cmds2.c:4111)
> ==17976== by 0x47C856: cmd_source (ex_cmds2.c:3724)
> ==17976== by 0x47C8AB: ex_source (ex_cmds2.c:3699)
> ==17976== by 0x483B37: do_one_cmd (ex_docmd.c:2960)
> ==17976== by 0x47F8DF: do_cmdline (ex_docmd.c:1110)
> ==17976== by 0x480665: do_cmdline_cmd (ex_docmd.c:715)
> ==17976== by 0x64C8E1: exe_commands (main.c:2896)
> ==17976== by 0x64B5A0: vim_main2 (main.c:781)
> ==17976== by 0x648E93: main (main.c:415)
> ==17976== Address 0x76cb8b0 is 0 bytes inside a block of size 3 free'd
> ==17976== at 0x4C2BCEF: free (vg_replace_malloc.c:530)
> ==17976== by 0x50CF6D: vim_free (misc2.c:1727)
> ==17976== by 0x56CC1E: qf_clean_dir_stack (quickfix.c:1796)
> ==17976== by 0x563D24: qf_free (quickfix.c:2713)
> ==17976== by 0x56B487: qf_add_entries (quickfix.c:4682)
> ==17976== by 0x56B1EA: set_errorlist (quickfix.c:4843)
> ==17976== by 0x462787: set_qf_ll_list (evalfunc.c:9959)
> ==17976== by 0x459B66: f_setqflist (evalfunc.c:10146)
> ==17976== by 0x44C39D: call_internal_func (evalfunc.c:999)
> ==17976== by 0x61F27D: call_func (userfunc.c:1372)
> ==17976== by 0x61EB33: get_func_tv (userfunc.c:455)
> ==17976== by 0x624BF8: ex_call (userfunc.c:2981)
> ==17976== by 0x483B37: do_one_cmd (ex_docmd.c:2960)
> ==17976== by 0x47F8DF: do_cmdline (ex_docmd.c:1110)
> ==17976== by 0x47D1D8: do_source (ex_cmds2.c:4111)
> ==17976== by 0x47C856: cmd_source (ex_cmds2.c:3724)
> ==17976== by 0x47C8AB: ex_source (ex_cmds2.c:3699)
> ==17976== by 0x483B37: do_one_cmd (ex_docmd.c:2960)
> ==17976== by 0x47F8DF: do_cmdline (ex_docmd.c:1110)
> ==17976== by 0x480665: do_cmdline_cmd (ex_docmd.c:715)
> ==17976== by 0x64C8E1: exe_commands (main.c:2896)
> ==17976== by 0x64B5A0: vim_main2 (main.c:781)
> ==17976== by 0x648E93: main (main.c:415)
> ==17976== Block was alloc'd at
> ==17976== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299)
> ==17976== by 0x50C84A: lalloc (misc2.c:942)
> ==17976== by 0x50C7E7: alloc (misc2.c:840)
> ==17976== by 0x50CFA4: vim_strsave (misc2.c:1285)
> ==17976== by 0x56EEE7: qf_push_dir (quickfix.c:1711)
> ==17976== by 0x56D890: qf_parse_line (quickfix.c:980)
> ==17976== by 0x563676: qf_init_ext (quickfix.c:1221)
> ==17976== by 0x56C0A4: ex_cexpr (quickfix.c:4993)
> ==17976== by 0x483B37: do_one_cmd (ex_docmd.c:2960)
> ==17976== by 0x47F8DF: do_cmdline (ex_docmd.c:1110)
> ==17976== by 0x620725: call_user_func (userfunc.c:893)
> ==17976== by 0x61F1EB: call_func (userfunc.c:1353)
> ==17976== by 0x61EB33: get_func_tv (userfunc.c:455)
> ==17976== by 0x624BF8: ex_call (userfunc.c:2981)
> ==17976== by 0x483B37: do_one_cmd (ex_docmd.c:2960)
> ==17976== by 0x47F8DF: do_cmdline (ex_docmd.c:1110)
> ==17976== by 0x47D1D8: do_source (ex_cmds2.c:4111)
> ==17976== by 0x47C856: cmd_source (ex_cmds2.c:3724)
> ==17976== by 0x47C8AB: ex_source (ex_cmds2.c:3699)
> ==17976== by 0x483B37: do_one_cmd (ex_docmd.c:2960)
> ==17976== by 0x47F8DF: do_cmdline (ex_docmd.c:1110)
> ==17976== by 0x480665: do_cmdline_cmd (ex_docmd.c:715)
> ==17976== by 0x64C8E1: exe_commands (main.c:2896)
> ==17976== by 0x64B5A0: vim_main2 (main.c:781)
> ==17976== by 0x648E93: main (main.c:415)
> ...snip more errors...
>
> I don't see this error with vim-7.4.52 that comes
> with ubuntu-14.04, so it's a regression.
>
> Doing a bissection, I see that:
>
> Vim-7.4.1980 has the BUG
> Vim-7.4.1979 is OK
>
> So bug is introduced by Vim-7.4.1980:
>
> ===
> commit 361c8f0e517e41f1f1d34dae328044406fde80ac
> Author: Bram Moolenaar <[email protected]>
> Date: Sat Jul 2 15:41:47 2016 +0200
>
> patch 7.4.1980
> Problem: 'errorformat' is parsed for every call to ":caddexpr".
> Can't add
> to two location lists asynchronously.
> Solution: Keep the previously parsed data when appropriate. (mostly by
> Yegappan Lakshmanan)
> ===
Thanks, I'll fix it.
--
Don't Panic!
-- The Hitchhiker's Guide to the Galaxy
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
