Dominique wrote:
> afl-fuzz found another invalid memory bug with vim-8.0.329.
> Steps to reproduce:
>
> $ cat >win-goto-bug.vim <<EOF
> h
> set buftype=
> h
> e x
> h
> q
> EOF
>
> $ valgrind vim -u NONE -S win-goto-bug.vim 2> vg.log
>
> And vg.log contains:
>
> ==15984== Memcheck, a memory error detector
> ==15984== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
> ==15984== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright
> info
> ==15984== Command: vim -u NONE -S win-goto-bug.vim
> ==15984==
> ==15984== Invalid read of size 8
> ==15984== at 0x5B25C5: win_goto (window.c:4096)
> ==15984== by 0x5B773E: restore_snapshot (window.c:6546)
> ==15984== by 0x5B34DE: win_close (window.c:2477)
> ==15984== by 0x45CF5D: do_one_cmd (ex_docmd.c:2981)
> ==15984== by 0x4591BD: do_cmdline (ex_docmd.c:1120)
> ==15984== by 0x457158: do_source (ex_cmds2.c:4306)
> ==15984== by 0x456998: cmd_source (ex_cmds2.c:3919)
> ==15984== by 0x456998: ex_source (ex_cmds2.c:3894)
> ==15984== by 0x45CF5D: do_one_cmd (ex_docmd.c:2981)
> ==15984== by 0x4591BD: do_cmdline (ex_docmd.c:1120)
> ==15984== by 0x5D20BC: exe_commands (main.c:2905)
> ==15984== by 0x5D20BC: vim_main2 (main.c:781)
> ==15984== by 0x5D09E9: main (main.c:415)
> ==15984== Address 0x8f94138 is 8 bytes inside a block of size 6,256 free'd
> ==15984== at 0x4C2BCEF: free (vg_replace_malloc.c:530)
> ==15984== by 0x5B544D: win_free (window.c:4693)
> ==15984== by 0x5B316D: win_free_mem (window.c:2573)
> ==15984== by 0x5B316D: win_close (window.c:2420)
> ==15984== by 0x45CF5D: do_one_cmd (ex_docmd.c:2981)
> ==15984== by 0x4591BD: do_cmdline (ex_docmd.c:1120)
> ==15984== by 0x457158: do_source (ex_cmds2.c:4306)
> ==15984== by 0x456998: cmd_source (ex_cmds2.c:3919)
> ==15984== by 0x456998: ex_source (ex_cmds2.c:3894)
> ==15984== by 0x45CF5D: do_one_cmd (ex_docmd.c:2981)
> ==15984== by 0x4591BD: do_cmdline (ex_docmd.c:1120)
> ==15984== by 0x5D20BC: exe_commands (main.c:2905)
> ==15984== by 0x5D20BC: vim_main2 (main.c:781)
> ==15984== by 0x5D09E9: main (main.c:415)
> ==15984== Block was alloc'd at
> ==15984== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299)
> ==15984== by 0x4C5C47: lalloc (misc2.c:942)
> ==15984== by 0x4C5D93: alloc_clear (misc2.c:864)
> ==15984== by 0x5B5062: win_alloc (window.c:4493)
> ==15984== by 0x5B4270: win_split_ins (window.c:1012)
> ==15984== by 0x44E572: ex_help (ex_cmds.c:6318)
> ==15984== by 0x45CF5D: do_one_cmd (ex_docmd.c:2981)
> ==15984== by 0x4591BD: do_cmdline (ex_docmd.c:1120)
> ==15984== by 0x457158: do_source (ex_cmds2.c:4306)
> ==15984== by 0x456998: cmd_source (ex_cmds2.c:3919)
> ==15984== by 0x456998: ex_source (ex_cmds2.c:3894)
> ==15984== by 0x45CF5D: do_one_cmd (ex_docmd.c:2981)
> ==15984== by 0x4591BD: do_cmdline (ex_docmd.c:1120)
> (snip more errors after that...)
>
> It's not a recent regression, since it also happens at least
> with vim-7.4.52 that comes with ubuntu-14.04. I did not try
> earlier version.
>
> Sorry no patch. I don't know how to fix it.
Thanks for the report. We can check if the window pointer is valid in
check_snapshot_rec().
--
BLACK KNIGHT: The Black Knight always triumphs. Have at you!
ARTHUR takes his last leg off. The BLACK KNIGHT's body lands upright.
BLACK KNIGHT: All right, we'll call it a draw.
"Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
