Hi afl-fuzz found this case which causes invalid memory access in vim-8.0.481 and older:
$ cat > bug.vim <<EOF n x norm axxx split split s/x s/x al qa! EOF $ valgrind --num-callers=30 vim -u NONE -S bug.vim 2> log And log contains: ==14497== Memcheck, a memory error detector ==14497== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==14497== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info ==14497== Command: ./vim -u NONE -S bug.vim ==14497== ==14497== Invalid read of size 1 ==14497== at 0x4D8AC0: utf_head_off (mbyte.c:3746) ==14497== by 0x5CEE3E: getvcol (charset.c:1307) ==14497== by 0x5CF09B: getvvcol (charset.c:1482) ==14497== by 0x4D6239: curs_columns (move.c:964) ==14497== by 0x5998A1: win_new_height (window.c:5700) ==14497== by 0x5998E6: frame_new_height (window.c:2862) ==14497== by 0x599FB4: win_equal_rec (window.c:1819) ==14497== by 0x59A075: win_equal_rec (window.c:2100) ==14497== by 0x59AE7D: win_equal (window.c:1778) ==14497== by 0x5A0318: win_close (window.c:2455) ==14497== by 0x4187EE: do_arg_all (buffer.c:4978) ==14497== by 0x473F84: do_one_cmd (ex_docmd.c:2981) ==14497== by 0x473F84: do_cmdline (ex_docmd.c:1120) ==14497== by 0x467C61: do_source (ex_cmds2.c:4313) ==14497== by 0x46870B: cmd_source (ex_cmds2.c:3926) ==14497== by 0x473F84: do_one_cmd (ex_docmd.c:2981) ==14497== by 0x473F84: do_cmdline (ex_docmd.c:1120) ==14497== by 0x5D449B: exe_commands (main.c:2913) ==14497== by 0x5D449B: vim_main2 (main.c:789) ==14497== by 0x41415D: main (main.c:418) ==14497== Address 0xd5a0252 is 0 bytes after a block of size 2 alloc'd ==14497== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299) ==14497== by 0x4CE130: lalloc (misc2.c:942) ==14497== by 0x4CEB2D: alloc (misc2.c:840) ==14497== by 0x4CEB2D: vim_strsave (misc2.c:1285) ==14497== by 0x4B8597: ml_replace (memline.c:3094) ==14497== by 0x45C91A: do_sub (ex_cmds.c:5703) ==14497== by 0x473F84: do_one_cmd (ex_docmd.c:2981) ==14497== by 0x473F84: do_cmdline (ex_docmd.c:1120) ==14497== by 0x467C61: do_source (ex_cmds2.c:4313) ==14497== by 0x46870B: cmd_source (ex_cmds2.c:3926) ==14497== by 0x473F84: do_one_cmd (ex_docmd.c:2981) ==14497== by 0x473F84: do_cmdline (ex_docmd.c:1120) ==14497== by 0x5D449B: exe_commands (main.c:2913) ==14497== by 0x5D449B: vim_main2 (main.c:789) ==14497== by 0x41415D: main (main.c:418) The cursor is beyond the end of line, causing the bug. I suppose that check_cursor() should be called, but where? Vim-7.4.52 which comes with xubuntu-14.04 does not have this bug. Doing a bissection: 8.0.250 BUG 8.0.249 OK So the bug is introduced by this change: commit 0c0590d9827cb07a33c1552cb3558b94bddcb4dc Author: Bram Moolenaar <[email protected]> Date: Sat Jan 28 13:48:10 2017 +0100 patch 8.0.0250: virtcol() does not work well for multi-byte characters Problem: When virtcol() gets a column that is not the first byte of a multi-byte character the result is unpredictable. (Christian Ludwig) Solution: Correct the column to the first byte of a multi-byte character. Change the utf-8 test to new style. Regards Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
