Hi afl-fuzz found another invalid memory bug with vim-8.0.329. Steps to reproduce:
$ cat >win-goto-bug.vim <<EOF h set buftype= h e x h q EOF $ valgrind vim -u NONE -S win-goto-bug.vim 2> vg.log And vg.log contains: ==15984== Memcheck, a memory error detector ==15984== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==15984== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info ==15984== Command: vim -u NONE -S win-goto-bug.vim ==15984== ==15984== Invalid read of size 8 ==15984== at 0x5B25C5: win_goto (window.c:4096) ==15984== by 0x5B773E: restore_snapshot (window.c:6546) ==15984== by 0x5B34DE: win_close (window.c:2477) ==15984== by 0x45CF5D: do_one_cmd (ex_docmd.c:2981) ==15984== by 0x4591BD: do_cmdline (ex_docmd.c:1120) ==15984== by 0x457158: do_source (ex_cmds2.c:4306) ==15984== by 0x456998: cmd_source (ex_cmds2.c:3919) ==15984== by 0x456998: ex_source (ex_cmds2.c:3894) ==15984== by 0x45CF5D: do_one_cmd (ex_docmd.c:2981) ==15984== by 0x4591BD: do_cmdline (ex_docmd.c:1120) ==15984== by 0x5D20BC: exe_commands (main.c:2905) ==15984== by 0x5D20BC: vim_main2 (main.c:781) ==15984== by 0x5D09E9: main (main.c:415) ==15984== Address 0x8f94138 is 8 bytes inside a block of size 6,256 free'd ==15984== at 0x4C2BCEF: free (vg_replace_malloc.c:530) ==15984== by 0x5B544D: win_free (window.c:4693) ==15984== by 0x5B316D: win_free_mem (window.c:2573) ==15984== by 0x5B316D: win_close (window.c:2420) ==15984== by 0x45CF5D: do_one_cmd (ex_docmd.c:2981) ==15984== by 0x4591BD: do_cmdline (ex_docmd.c:1120) ==15984== by 0x457158: do_source (ex_cmds2.c:4306) ==15984== by 0x456998: cmd_source (ex_cmds2.c:3919) ==15984== by 0x456998: ex_source (ex_cmds2.c:3894) ==15984== by 0x45CF5D: do_one_cmd (ex_docmd.c:2981) ==15984== by 0x4591BD: do_cmdline (ex_docmd.c:1120) ==15984== by 0x5D20BC: exe_commands (main.c:2905) ==15984== by 0x5D20BC: vim_main2 (main.c:781) ==15984== by 0x5D09E9: main (main.c:415) ==15984== Block was alloc'd at ==15984== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299) ==15984== by 0x4C5C47: lalloc (misc2.c:942) ==15984== by 0x4C5D93: alloc_clear (misc2.c:864) ==15984== by 0x5B5062: win_alloc (window.c:4493) ==15984== by 0x5B4270: win_split_ins (window.c:1012) ==15984== by 0x44E572: ex_help (ex_cmds.c:6318) ==15984== by 0x45CF5D: do_one_cmd (ex_docmd.c:2981) ==15984== by 0x4591BD: do_cmdline (ex_docmd.c:1120) ==15984== by 0x457158: do_source (ex_cmds2.c:4306) ==15984== by 0x456998: cmd_source (ex_cmds2.c:3919) ==15984== by 0x456998: ex_source (ex_cmds2.c:3894) ==15984== by 0x45CF5D: do_one_cmd (ex_docmd.c:2981) ==15984== by 0x4591BD: do_cmdline (ex_docmd.c:1120) (snip more errors after that...) It's not a recent regression, since it also happens at least with vim-7.4.52 that comes with ubuntu-14.04. I did not try earlier version. Sorry no patch. I don't know how to fix it. Regards Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
