Dominique Pellé wrote:
> afl-fuzz found another case of use of free memory with
> vim-8.0.84 and older.
>
> Steps to reproduce:
>
> $ cat > use-free-mem.vim <<EOF
> fun X()
> let g:Y = function('sort')
> endfun
> let g:Y = function('sort')
> echo Y(X())
> EOF
>
> $ valgrind --num-callers=40 vim -u NONE -S use-free-mem.vim -cqa 2> vg.log
>
>
> And vg.log contains:
>
> ==5261== Memcheck, a memory error detector
> ==5261== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
> ==5261== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright
> info
> ==5261== Command: ./vim -u NONE -S use-free-mem.vim -cqa
> ==5261==
> ==5261== Invalid read of size 1
> ==5261== at 0x4C2E010: __strncpy_sse2_unaligned (vg_replace_strmem.c:548)
> ==5261== by 0x4C73A1: strncpy (string3.h:120)
> ==5261== by 0x4C73A1: vim_strnsave (misc2.c:1305)
> ==5261== by 0x5AA32C: call_func (userfunc.c:1251)
> ==5261== by 0x5AA1C7: get_func_tv (userfunc.c:455)
> ==5261== by 0x436770: eval7 (eval.c:4343)
> ==5261== by 0x436302: eval6 (eval.c:3977)
> ==5261== by 0x435FE2: eval5 (eval.c:3793)
> ==5261== by 0x43580E: eval4 (eval.c:3492)
> ==5261== by 0x4356C4: eval3 (eval.c:3409)
> ==5261== by 0x42B962: eval2 (eval.c:3341)
> ==5261== by 0x42B962: eval1 (eval.c:3269)
> ==5261== by 0x431F65: ex_echo (eval.c:8175)
> ==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
> ==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
> ==5261== by 0x459301: do_source (ex_cmds2.c:4111)
> ==5261== by 0x458AD3: cmd_source (ex_cmds2.c:3724)
> ==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
> ==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
> ==5261== by 0x5CD05C: exe_commands (main.c:2896)
> ==5261== by 0x5CD05C: vim_main2 (main.c:781)
> ==5261== by 0x5CBA5B: main (main.c:415)
> ==5261== Address 0x76891d0 is 0 bytes inside a block of size 5 free'd
> ==5261== at 0x4C2BCEF: free (vg_replace_malloc.c:530)
> ==5261== by 0x42B816: clear_tv (eval.c:7044)
> ==5261== by 0x429D87: set_var (eval.c:7739)
> ==5261== by 0x42ABFE: set_var_lval (eval.c:2210)
> ==5261== by 0x434E56: ex_let_one (eval.c:1771)
> ==5261== by 0x42CB58: ex_let_vars (eval.c:1248)
> ==5261== by 0x42C4A8: ex_let (eval.c:1213)
> ==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
> ==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
> ==5261== by 0x5AB1A5: call_user_func (userfunc.c:893)
> ==5261== by 0x5AB1A5: call_func (userfunc.c:1353)
> ==5261== by 0x5AA1C7: get_func_tv (userfunc.c:455)
> ==5261== by 0x436770: eval7 (eval.c:4343)
> ==5261== by 0x436302: eval6 (eval.c:3977)
> ==5261== by 0x435FE2: eval5 (eval.c:3793)
> ==5261== by 0x43580E: eval4 (eval.c:3492)
> ==5261== by 0x4356C4: eval3 (eval.c:3409)
> ==5261== by 0x42B962: eval2 (eval.c:3341)
> ==5261== by 0x42B962: eval1 (eval.c:3269)
> ==5261== by 0x5AA08A: get_func_tv (userfunc.c:425)
> ==5261== by 0x436770: eval7 (eval.c:4343)
> ==5261== by 0x436302: eval6 (eval.c:3977)
> ==5261== by 0x435FE2: eval5 (eval.c:3793)
> ==5261== by 0x43580E: eval4 (eval.c:3492)
> ==5261== by 0x4356C4: eval3 (eval.c:3409)
> ==5261== by 0x42B962: eval2 (eval.c:3341)
> ==5261== by 0x42B962: eval1 (eval.c:3269)
> ==5261== by 0x431F65: ex_echo (eval.c:8175)
> ==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
> ==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
> ==5261== by 0x459301: do_source (ex_cmds2.c:4111)
> ==5261== by 0x458AD3: cmd_source (ex_cmds2.c:3724)
> ==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
> ==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
> ==5261== by 0x5CD05C: exe_commands (main.c:2896)
> ==5261== by 0x5CD05C: vim_main2 (main.c:781)
> ==5261== by 0x5CBA5B: main (main.c:415)
> ==5261== Block was alloc'd at
> ==5261== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299)
> ==5261== by 0x4C70A7: lalloc (misc2.c:942)
> ==5261== by 0x4C734E: alloc (misc2.c:840)
> ==5261== by 0x4C734E: vim_strsave (misc2.c:1285)
> ==5261== by 0x44498E: common_function (evalfunc.c:3656)
> ==5261== by 0x43765E: call_internal_func (evalfunc.c:999)
> ==5261== by 0x5AA725: call_func (userfunc.c:1372)
> ==5261== by 0x5AA1C7: get_func_tv (userfunc.c:455)
> ==5261== by 0x436770: eval7 (eval.c:4343)
> ==5261== by 0x436302: eval6 (eval.c:3977)
> ==5261== by 0x435FE2: eval5 (eval.c:3793)
> ==5261== by 0x43580E: eval4 (eval.c:3492)
> ==5261== by 0x4356C4: eval3 (eval.c:3409)
> ==5261== by 0x42B962: eval2 (eval.c:3341)
> ==5261== by 0x42B962: eval1 (eval.c:3269)
> ==5261== by 0x42B689: eval0 (eval.c:3229)
> ==5261== by 0x42C460: ex_let (eval.c:1204)
> ==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
> ==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
> ==5261== by 0x459301: do_source (ex_cmds2.c:4111)
> ==5261== by 0x458AD3: cmd_source (ex_cmds2.c:3724)
> ==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
> ==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
> ==5261== by 0x5CD05C: exe_commands (main.c:2896)
> ==5261== by 0x5CD05C: vim_main2 (main.c:781)
> ==5261== by 0x5CBA5B: main (main.c:415)
> ==5261==
> ==5261== Invalid read of size 1
> ==5261== at 0x4C2E030: __strncpy_sse2_unaligned (vg_replace_strmem.c:548)
> ==5261== by 0x4C73A1: strncpy (string3.h:120)
> ==5261== by 0x4C73A1: vim_strnsave (misc2.c:1305)
> ==5261== by 0x5AA32C: call_func (userfunc.c:1251)
> ==5261== by 0x5AA1C7: get_func_tv (userfunc.c:455)
> ==5261== by 0x436770: eval7 (eval.c:4343)
> ==5261== by 0x436302: eval6 (eval.c:3977)
> ==5261== by 0x435FE2: eval5 (eval.c:3793)
> ==5261== by 0x43580E: eval4 (eval.c:3492)
> ==5261== by 0x4356C4: eval3 (eval.c:3409)
> ==5261== by 0x42B962: eval2 (eval.c:3341)
> ==5261== by 0x42B962: eval1 (eval.c:3269)
> ==5261== by 0x431F65: ex_echo (eval.c:8175)
> ==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
> ==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
> ==5261== by 0x459301: do_source (ex_cmds2.c:4111)
> ==5261== by 0x458AD3: cmd_source (ex_cmds2.c:3724)
> ==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
> ==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
> ==5261== by 0x5CD05C: exe_commands (main.c:2896)
> ==5261== by 0x5CD05C: vim_main2 (main.c:781)
> ==5261== by 0x5CBA5B: main (main.c:415)
> ==5261== Address 0x76891d1 is 1 bytes inside a block of size 5 free'd
> ==5261== at 0x4C2BCEF: free (vg_replace_malloc.c:530)
> ==5261== by 0x42B816: clear_tv (eval.c:7044)
> ==5261== by 0x429D87: set_var (eval.c:7739)
> ==5261== by 0x42ABFE: set_var_lval (eval.c:2210)
> ==5261== by 0x434E56: ex_let_one (eval.c:1771)
> ==5261== by 0x42CB58: ex_let_vars (eval.c:1248)
> ==5261== by 0x42C4A8: ex_let (eval.c:1213)
> ==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
> ==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
> ==5261== by 0x5AB1A5: call_user_func (userfunc.c:893)
> ==5261== by 0x5AB1A5: call_func (userfunc.c:1353)
> ==5261== by 0x5AA1C7: get_func_tv (userfunc.c:455)
> ==5261== by 0x436770: eval7 (eval.c:4343)
> ==5261== by 0x436302: eval6 (eval.c:3977)
> ==5261== by 0x435FE2: eval5 (eval.c:3793)
> ==5261== by 0x43580E: eval4 (eval.c:3492)
> ==5261== by 0x4356C4: eval3 (eval.c:3409)
> ==5261== by 0x42B962: eval2 (eval.c:3341)
> ==5261== by 0x42B962: eval1 (eval.c:3269)
> ==5261== by 0x5AA08A: get_func_tv (userfunc.c:425)
> ==5261== by 0x436770: eval7 (eval.c:4343)
> ==5261== by 0x436302: eval6 (eval.c:3977)
> ==5261== by 0x435FE2: eval5 (eval.c:3793)
> ==5261== by 0x43580E: eval4 (eval.c:3492)
> ==5261== by 0x4356C4: eval3 (eval.c:3409)
> ==5261== by 0x42B962: eval2 (eval.c:3341)
> ==5261== by 0x42B962: eval1 (eval.c:3269)
> ==5261== by 0x431F65: ex_echo (eval.c:8175)
> ==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
> ==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
> ==5261== by 0x459301: do_source (ex_cmds2.c:4111)
> ==5261== by 0x458AD3: cmd_source (ex_cmds2.c:3724)
> ==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
> ==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
> ==5261== by 0x5CD05C: exe_commands (main.c:2896)
> ==5261== by 0x5CD05C: vim_main2 (main.c:781)
> ==5261== by 0x5CBA5B: main (main.c:415)
> ==5261== Block was alloc'd at
> ==5261== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299)
> ==5261== by 0x4C70A7: lalloc (misc2.c:942)
> ==5261== by 0x4C734E: alloc (misc2.c:840)
> ==5261== by 0x4C734E: vim_strsave (misc2.c:1285)
> ==5261== by 0x44498E: common_function (evalfunc.c:3656)
> ==5261== by 0x43765E: call_internal_func (evalfunc.c:999)
> ==5261== by 0x5AA725: call_func (userfunc.c:1372)
> ==5261== by 0x5AA1C7: get_func_tv (userfunc.c:455)
> ==5261== by 0x436770: eval7 (eval.c:4343)
> ==5261== by 0x436302: eval6 (eval.c:3977)
> ==5261== by 0x435FE2: eval5 (eval.c:3793)
> ==5261== by 0x43580E: eval4 (eval.c:3492)
> ==5261== by 0x4356C4: eval3 (eval.c:3409)
> ==5261== by 0x42B962: eval2 (eval.c:3341)
> ==5261== by 0x42B962: eval1 (eval.c:3269)
> ==5261== by 0x42B689: eval0 (eval.c:3229)
> ==5261== by 0x42C460: ex_let (eval.c:1204)
> ==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
> ==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
> ==5261== by 0x459301: do_source (ex_cmds2.c:4111)
> ==5261== by 0x458AD3: cmd_source (ex_cmds2.c:3724)
> ==5261== by 0x45F97B: do_one_cmd (ex_docmd.c:2960)
> ==5261== by 0x45B133: do_cmdline (ex_docmd.c:1110)
> ==5261== by 0x5CD05C: exe_commands (main.c:2896)
> ==5261== by 0x5CD05C: vim_main2 (main.c:781)
> ==5261== by 0x5CBA5B: main (main.c:415)
> ==5261==
> ==5261==
> ==5261== HEAP SUMMARY:
> ==5261== in use at exit: 335,292 bytes in 1,432 blocks
> ==5261== total heap usage: 4,946 allocs, 3,514 frees, 672,454 bytes
> allocated
> ==5261==
> ==5261== LEAK SUMMARY:
> ==5261== definitely lost: 0 bytes in 0 blocks
> ==5261== indirectly lost: 0 bytes in 0 blocks
> ==5261== possibly lost: 308 bytes in 5 blocks
> ==5261== still reachable: 334,984 bytes in 1,427 blocks
> ==5261== suppressed: 0 bytes in 0 blocks
> ==5261== Rerun with --leak-check=full to see details of leaked memory
> ==5261==
> ==5261== For counts of detected and suppressed errors, rerun with: -v
> ==5261== ERROR SUMMARY: 4 errors from 2 contexts (suppressed: 0 from 0)
Thanks, I'll fix it.
--
How To Keep A Healthy Level Of Insanity:
2. Page yourself over the intercom. Don't disguise your voice.
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
