Hi Afl-fuzz found this case that causes invalid memory access with vim-8.0.566 and older:
$ valgrind vim -u NONE -c'set spell|call setline(1, "\xff")|norm z=' 2>vg.log ==4997== Memcheck, a memory error detector ==4997== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==4997== Using Valgrind-3.12.0.SVN and LibVEX; rerun with -h for copyright info ==4997== Command: vim -u NONE -cset\ spell|call\ setline(1,\ "\\xff")|norm\ z= ==4997== ==4997== Invalid read of size 1 ==4997== at 0x4C2E010: __strncpy_sse2_unaligned (vg_replace_strmem.c:548) ==4997== by 0x4C786E: strncpy (string3.h:120) ==4997== by 0x4C786E: vim_strncpy (misc2.c:1716) ==4997== by 0x5730C0: check_suggestions (spell.c:6871) ==4997== by 0x56EAFB: spell_suggest_intern (spell.c:4075) ==4997== by 0x56EAFB: spell_find_suggest (spell.c:3881) ==4997== by 0x56D8C2: spell_suggest (spell.c:3417) ==4997== by 0x4E0C63: nv_zet (normal.c:5210) ==4997== by 0x4D6B66: normal_cmd (normal.c:1150) ==4997== by 0x4622C1: exec_normal (ex_docmd.c:10475) ==4997== by 0x4621AD: exec_normal_cmd (ex_docmd.c:10458) ==4997== by 0x4621AD: ex_normal (ex_docmd.c:10367) ==4997== by 0x45D154: do_one_cmd (ex_docmd.c:3021) ==4997== by 0x45944D: do_cmdline (ex_docmd.c:1160) ==4997== by 0x5D347C: exe_commands (main.c:2923) ==4997== by 0x5D347C: vim_main2 (main.c:790) ==4997== Address 0x7820ef2 is 0 bytes after a block of size 2 alloc'd ==4997== at 0x4C2ABF5: malloc (vg_replace_malloc.c:299) ==4997== by 0x4C6A27: lalloc (misc2.c:942) ==4997== by 0x4C6CDE: alloc (misc2.c:840) ==4997== by 0x4C6CDE: vim_strsave (misc2.c:1285) ==4997== by 0x56D877: spell_suggest (spell.c:3407) ==4997== by 0x4E0C63: nv_zet (normal.c:5210) ==4997== by 0x4D6B66: normal_cmd (normal.c:1150) ==4997== by 0x4622C1: exec_normal (ex_docmd.c:10475) ==4997== by 0x4621AD: exec_normal_cmd (ex_docmd.c:10458) ==4997== by 0x4621AD: ex_normal (ex_docmd.c:10367) ==4997== by 0x45D154: do_one_cmd (ex_docmd.c:3021) ==4997== by 0x45944D: do_cmdline (ex_docmd.c:1160) ==4997== by 0x5D347C: exe_commands (main.c:2923) ==4997== by 0x5D347C: vim_main2 (main.c:790) ==4997== by 0x5D1D99: main (main.c:419) -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
