Hi
afl-fuzz found another case of use of free memory with
vim-8.0.84 and older.
Steps to reproduce:
$ cat > use-free-mem.vim <<EOF
fun X()
let g:Y = function('sort')
endfun
let g:Y = function('sort')
echo Y(X())
EOF
$ valgrind --num-callers=40 vim -u NONE -S use-free-mem.vim -cqa 2> vg.log
And vg.log contains:
==5261== Memcheck, a memory error detector
==5261== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==5261== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info
==5261== Command: ./vim -u NONE -S use-free-mem.vim -cqa
==5261==
==5261== Invalid read of size 1
==5261== at 0x4C2E010: __strncpy_sse2_unaligned (vg_replace_strmem.c:548)
==5261== by 0x4C73A1: strncpy (string3.h:120)
==5261== by 0x4C73A1: vim_strnsave (misc2.c:1305)
==5261== by 0x5AA32C: call_func (userfunc.c:1251)
==5261== by 0x5AA1C7: get_func_tv (userfunc.c:455)
==5261== by 0x436770: eval7 (eval.c:4343)
==5261== by 0x436302: eval6 (eval.c:3977)
==5261== by 0x435FE2: eval5 (eval.c:3793)
==5261== by 0x43580E: eval4 (eval.c:3492)
==5261== by 0x4356C4: eval3 (eval.c:3409)
==5261== by 0x42B962: eval2 (eval.c:3341)
==5261== by 0x42B962: eval1 (eval.c:3269)
==5261== by 0x431F65: ex_echo (eval.c:8175)
==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
==5261== by 0x459301: do_source (ex_cmds2.c:4111)
==5261== by 0x458AD3: cmd_source (ex_cmds2.c:3724)
==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
==5261== by 0x5CD05C: exe_commands (main.c:2896)
==5261== by 0x5CD05C: vim_main2 (main.c:781)
==5261== by 0x5CBA5B: main (main.c:415)
==5261== Address 0x76891d0 is 0 bytes inside a block of size 5 free'd
==5261== at 0x4C2BCEF: free (vg_replace_malloc.c:530)
==5261== by 0x42B816: clear_tv (eval.c:7044)
==5261== by 0x429D87: set_var (eval.c:7739)
==5261== by 0x42ABFE: set_var_lval (eval.c:2210)
==5261== by 0x434E56: ex_let_one (eval.c:1771)
==5261== by 0x42CB58: ex_let_vars (eval.c:1248)
==5261== by 0x42C4A8: ex_let (eval.c:1213)
==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
==5261== by 0x5AB1A5: call_user_func (userfunc.c:893)
==5261== by 0x5AB1A5: call_func (userfunc.c:1353)
==5261== by 0x5AA1C7: get_func_tv (userfunc.c:455)
==5261== by 0x436770: eval7 (eval.c:4343)
==5261== by 0x436302: eval6 (eval.c:3977)
==5261== by 0x435FE2: eval5 (eval.c:3793)
==5261== by 0x43580E: eval4 (eval.c:3492)
==5261== by 0x4356C4: eval3 (eval.c:3409)
==5261== by 0x42B962: eval2 (eval.c:3341)
==5261== by 0x42B962: eval1 (eval.c:3269)
==5261== by 0x5AA08A: get_func_tv (userfunc.c:425)
==5261== by 0x436770: eval7 (eval.c:4343)
==5261== by 0x436302: eval6 (eval.c:3977)
==5261== by 0x435FE2: eval5 (eval.c:3793)
==5261== by 0x43580E: eval4 (eval.c:3492)
==5261== by 0x4356C4: eval3 (eval.c:3409)
==5261== by 0x42B962: eval2 (eval.c:3341)
==5261== by 0x42B962: eval1 (eval.c:3269)
==5261== by 0x431F65: ex_echo (eval.c:8175)
==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
==5261== by 0x459301: do_source (ex_cmds2.c:4111)
==5261== by 0x458AD3: cmd_source (ex_cmds2.c:3724)
==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
==5261== by 0x5CD05C: exe_commands (main.c:2896)
==5261== by 0x5CD05C: vim_main2 (main.c:781)
==5261== by 0x5CBA5B: main (main.c:415)
==5261== Block was alloc'd at
==5261== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299)
==5261== by 0x4C70A7: lalloc (misc2.c:942)
==5261== by 0x4C734E: alloc (misc2.c:840)
==5261== by 0x4C734E: vim_strsave (misc2.c:1285)
==5261== by 0x44498E: common_function (evalfunc.c:3656)
==5261== by 0x43765E: call_internal_func (evalfunc.c:999)
==5261== by 0x5AA725: call_func (userfunc.c:1372)
==5261== by 0x5AA1C7: get_func_tv (userfunc.c:455)
==5261== by 0x436770: eval7 (eval.c:4343)
==5261== by 0x436302: eval6 (eval.c:3977)
==5261== by 0x435FE2: eval5 (eval.c:3793)
==5261== by 0x43580E: eval4 (eval.c:3492)
==5261== by 0x4356C4: eval3 (eval.c:3409)
==5261== by 0x42B962: eval2 (eval.c:3341)
==5261== by 0x42B962: eval1 (eval.c:3269)
==5261== by 0x42B689: eval0 (eval.c:3229)
==5261== by 0x42C460: ex_let (eval.c:1204)
==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
==5261== by 0x459301: do_source (ex_cmds2.c:4111)
==5261== by 0x458AD3: cmd_source (ex_cmds2.c:3724)
==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
==5261== by 0x5CD05C: exe_commands (main.c:2896)
==5261== by 0x5CD05C: vim_main2 (main.c:781)
==5261== by 0x5CBA5B: main (main.c:415)
==5261==
==5261== Invalid read of size 1
==5261== at 0x4C2E030: __strncpy_sse2_unaligned (vg_replace_strmem.c:548)
==5261== by 0x4C73A1: strncpy (string3.h:120)
==5261== by 0x4C73A1: vim_strnsave (misc2.c:1305)
==5261== by 0x5AA32C: call_func (userfunc.c:1251)
==5261== by 0x5AA1C7: get_func_tv (userfunc.c:455)
==5261== by 0x436770: eval7 (eval.c:4343)
==5261== by 0x436302: eval6 (eval.c:3977)
==5261== by 0x435FE2: eval5 (eval.c:3793)
==5261== by 0x43580E: eval4 (eval.c:3492)
==5261== by 0x4356C4: eval3 (eval.c:3409)
==5261== by 0x42B962: eval2 (eval.c:3341)
==5261== by 0x42B962: eval1 (eval.c:3269)
==5261== by 0x431F65: ex_echo (eval.c:8175)
==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
==5261== by 0x459301: do_source (ex_cmds2.c:4111)
==5261== by 0x458AD3: cmd_source (ex_cmds2.c:3724)
==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
==5261== by 0x5CD05C: exe_commands (main.c:2896)
==5261== by 0x5CD05C: vim_main2 (main.c:781)
==5261== by 0x5CBA5B: main (main.c:415)
==5261== Address 0x76891d1 is 1 bytes inside a block of size 5 free'd
==5261== at 0x4C2BCEF: free (vg_replace_malloc.c:530)
==5261== by 0x42B816: clear_tv (eval.c:7044)
==5261== by 0x429D87: set_var (eval.c:7739)
==5261== by 0x42ABFE: set_var_lval (eval.c:2210)
==5261== by 0x434E56: ex_let_one (eval.c:1771)
==5261== by 0x42CB58: ex_let_vars (eval.c:1248)
==5261== by 0x42C4A8: ex_let (eval.c:1213)
==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
==5261== by 0x5AB1A5: call_user_func (userfunc.c:893)
==5261== by 0x5AB1A5: call_func (userfunc.c:1353)
==5261== by 0x5AA1C7: get_func_tv (userfunc.c:455)
==5261== by 0x436770: eval7 (eval.c:4343)
==5261== by 0x436302: eval6 (eval.c:3977)
==5261== by 0x435FE2: eval5 (eval.c:3793)
==5261== by 0x43580E: eval4 (eval.c:3492)
==5261== by 0x4356C4: eval3 (eval.c:3409)
==5261== by 0x42B962: eval2 (eval.c:3341)
==5261== by 0x42B962: eval1 (eval.c:3269)
==5261== by 0x5AA08A: get_func_tv (userfunc.c:425)
==5261== by 0x436770: eval7 (eval.c:4343)
==5261== by 0x436302: eval6 (eval.c:3977)
==5261== by 0x435FE2: eval5 (eval.c:3793)
==5261== by 0x43580E: eval4 (eval.c:3492)
==5261== by 0x4356C4: eval3 (eval.c:3409)
==5261== by 0x42B962: eval2 (eval.c:3341)
==5261== by 0x42B962: eval1 (eval.c:3269)
==5261== by 0x431F65: ex_echo (eval.c:8175)
==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
==5261== by 0x459301: do_source (ex_cmds2.c:4111)
==5261== by 0x458AD3: cmd_source (ex_cmds2.c:3724)
==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
==5261== by 0x5CD05C: exe_commands (main.c:2896)
==5261== by 0x5CD05C: vim_main2 (main.c:781)
==5261== by 0x5CBA5B: main (main.c:415)
==5261== Block was alloc'd at
==5261== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299)
==5261== by 0x4C70A7: lalloc (misc2.c:942)
==5261== by 0x4C734E: alloc (misc2.c:840)
==5261== by 0x4C734E: vim_strsave (misc2.c:1285)
==5261== by 0x44498E: common_function (evalfunc.c:3656)
==5261== by 0x43765E: call_internal_func (evalfunc.c:999)
==5261== by 0x5AA725: call_func (userfunc.c:1372)
==5261== by 0x5AA1C7: get_func_tv (userfunc.c:455)
==5261== by 0x436770: eval7 (eval.c:4343)
==5261== by 0x436302: eval6 (eval.c:3977)
==5261== by 0x435FE2: eval5 (eval.c:3793)
==5261== by 0x43580E: eval4 (eval.c:3492)
==5261== by 0x4356C4: eval3 (eval.c:3409)
==5261== by 0x42B962: eval2 (eval.c:3341)
==5261== by 0x42B962: eval1 (eval.c:3269)
==5261== by 0x42B689: eval0 (eval.c:3229)
==5261== by 0x42C460: ex_let (eval.c:1204)
==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
==5261== by 0x459301: do_source (ex_cmds2.c:4111)
==5261== by 0x458AD3: cmd_source (ex_cmds2.c:3724)
==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
==5261== by 0x5CD05C: exe_commands (main.c:2896)
==5261== by 0x5CD05C: vim_main2 (main.c:781)
==5261== by 0x5CBA5B: main (main.c:415)
==5261==
==5261==
==5261== HEAP SUMMARY:
==5261== in use at exit: 335,292 bytes in 1,432 blocks
==5261== total heap usage: 4,946 allocs, 3,514 frees, 672,454 bytes allocated
==5261==
==5261== LEAK SUMMARY:
==5261== definitely lost: 0 bytes in 0 blocks
==5261== indirectly lost: 0 bytes in 0 blocks
==5261== possibly lost: 308 bytes in 5 blocks
==5261== still reachable: 334,984 bytes in 1,427 blocks
==5261== suppressed: 0 bytes in 0 blocks
==5261== Rerun with --leak-check=full to see details of leaked memory
==5261==
==5261== For counts of detected and suppressed errors, rerun with: -v
==5261== ERROR SUMMARY: 4 errors from 2 contexts (suppressed: 0 from 0)
Regards
Dominique
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
