Dominique wrote: > afl-fuzz found this case which causes invalid > memory access in vim-8.0.481 and older: > > $ cat > bug.vim <<EOF > n x > norm axxx > split > split > s/x > s/x > al > qa! > EOF > > $ valgrind --num-callers=30 vim -u NONE -S bug.vim 2> log > > And log contains: > > ==14497== Memcheck, a memory error detector > ==14497== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. > ==14497== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright > info > ==14497== Command: ./vim -u NONE -S bug.vim > ==14497== > ==14497== Invalid read of size 1 > ==14497== at 0x4D8AC0: utf_head_off (mbyte.c:3746) > ==14497== by 0x5CEE3E: getvcol (charset.c:1307) > ==14497== by 0x5CF09B: getvvcol (charset.c:1482) > ==14497== by 0x4D6239: curs_columns (move.c:964) > ==14497== by 0x5998A1: win_new_height (window.c:5700) > ==14497== by 0x5998E6: frame_new_height (window.c:2862) > ==14497== by 0x599FB4: win_equal_rec (window.c:1819) > ==14497== by 0x59A075: win_equal_rec (window.c:2100) > ==14497== by 0x59AE7D: win_equal (window.c:1778) > ==14497== by 0x5A0318: win_close (window.c:2455) > ==14497== by 0x4187EE: do_arg_all (buffer.c:4978) > ==14497== by 0x473F84: do_one_cmd (ex_docmd.c:2981) > ==14497== by 0x473F84: do_cmdline (ex_docmd.c:1120) > ==14497== by 0x467C61: do_source (ex_cmds2.c:4313) > ==14497== by 0x46870B: cmd_source (ex_cmds2.c:3926) > ==14497== by 0x473F84: do_one_cmd (ex_docmd.c:2981) > ==14497== by 0x473F84: do_cmdline (ex_docmd.c:1120) > ==14497== by 0x5D449B: exe_commands (main.c:2913) > ==14497== by 0x5D449B: vim_main2 (main.c:789) > ==14497== by 0x41415D: main (main.c:418) > ==14497== Address 0xd5a0252 is 0 bytes after a block of size 2 alloc'd > ==14497== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299) > ==14497== by 0x4CE130: lalloc (misc2.c:942) > ==14497== by 0x4CEB2D: alloc (misc2.c:840) > ==14497== by 0x4CEB2D: vim_strsave (misc2.c:1285) > ==14497== by 0x4B8597: ml_replace (memline.c:3094) > ==14497== by 0x45C91A: do_sub (ex_cmds.c:5703) > ==14497== by 0x473F84: do_one_cmd (ex_docmd.c:2981) > ==14497== by 0x473F84: do_cmdline (ex_docmd.c:1120) > ==14497== by 0x467C61: do_source (ex_cmds2.c:4313) > ==14497== by 0x46870B: cmd_source (ex_cmds2.c:3926) > ==14497== by 0x473F84: do_one_cmd (ex_docmd.c:2981) > ==14497== by 0x473F84: do_cmdline (ex_docmd.c:1120) > ==14497== by 0x5D449B: exe_commands (main.c:2913) > ==14497== by 0x5D449B: vim_main2 (main.c:789) > ==14497== by 0x41415D: main (main.c:418) > > The cursor is beyond the end of line, causing the bug. > I suppose that check_cursor() should be called, but where?
I can reproduce the problem with the script, thus I can turn it into a test. > Vim-7.4.52 which comes with xubuntu-14.04 does not have this bug. > > Doing a bissection: > > 8.0.250 BUG > 8.0.249 OK > > So the bug is introduced by this change: > > commit 0c0590d9827cb07a33c1552cb3558b94bddcb4dc > Author: Bram Moolenaar <[email protected]> > Date: Sat Jan 28 13:48:10 2017 +0100 > > patch 8.0.0250: virtcol() does not work well for multi-byte characters > > Problem: When virtcol() gets a column that is not the first byte of a > multi-byte character the result is unpredictable. (Christian > Ludwig) > Solution: Correct the column to the first byte of a multi-byte > character. > Change the utf-8 test to new style. I don't think this change caused the bug, it just the first piece of code to run into it. The main problem is that in win_close() curwin is changed without calling check_cursor() right away. Having an invalid cursor position for a little while is dangerous, so let's check it right after setting curwin. -- hundred-and-one symptoms of being an internet addict: 159. You get excited whenever discussing your hard drive. /// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org /// -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
