Hi The following script found by afl-fuzz causes vim-8.0.1213 (huge) and older to access free memory when built with -DEXITFREE:
$ cat bug.vim tabedit sp X sp au WinLeave X tabnext close qa $ valgrind --num-callers=30 vim -u NONE -S bug.vim 2> vg.log And vg.log contains: ==14381== Memcheck, a memory error detector ==14381== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==14381== Using Valgrind-3.14.0.GIT and LibVEX; rerun with -h for copyright info ==14381== Command: vim -u NONE -S bug.vim ==14381== ==14381== Invalid read of size 1 ==14381== at 0x4C30A12: strlen (vg_replace_strmem.c:458) ==14381== by 0x4D581D: vim_strsave (misc2.c:1290) ==14381== by 0x50AEE6: buf_copy_options (option.c:11083) ==14381== by 0x5B09A9: win_enter_ext (window.c:4392) ==14381== by 0x5B0C58: enter_tabpage (window.c:3912) ==14381== by 0x5B4266: close_last_window_tabpage.part.20 (window.c:2239) ==14381== by 0x5B4729: close_last_window_tabpage (window.c:2364) ==14381== by 0x5B4729: win_close (window.c:2311) ==14381== by 0x46E2E8: ex_win_close (ex_docmd.c:7418) ==14381== by 0x473D3F: tabpage_close (ex_docmd.c:7622) ==14381== by 0x5B6221: win_free_all (window.c:2599) ==14381== by 0x4D8F3B: free_all_mem (misc2.c:1197) ==14381== by 0x512F08: mch_exit (os_unix.c:3371) ==14381== by 0x5F27EA: getout (main.c:1544) ==14381== by 0x470A61: ex_quit_all (ex_docmd.c:7320) ==14381== by 0x477723: do_one_cmd (ex_docmd.c:2908) ==14381== by 0x477723: do_cmdline (ex_docmd.c:1071) ==14381== by 0x46AFEB: do_source (ex_cmds2.c:4355) ==14381== by 0x46BB2B: cmd_source (ex_cmds2.c:3968) ==14381== by 0x477723: do_one_cmd (ex_docmd.c:2908) ==14381== by 0x477723: do_cmdline (ex_docmd.c:1071) ==14381== by 0x5F44F0: exe_commands (main.c:2955) ==14381== by 0x5F44F0: vim_main2 (main.c:800) ==14381== by 0x413E41: main (main.c:429) ==14381== Address 0x10db57d0 is 0 bytes inside a block of size 12 free'd ==14381== at 0x4C2ECF0: free (vg_replace_malloc.c:530) ==14381== by 0x5030A9: free_string_option (option.c:5715) ==14381== by 0x5030A9: free_all_options (option.c:3892) ==14381== by 0x4D8E11: free_all_mem (misc2.c:1138) ==14381== by 0x512F08: mch_exit (os_unix.c:3371) ==14381== by 0x5F27EA: getout (main.c:1544) ==14381== by 0x470A61: ex_quit_all (ex_docmd.c:7320) ==14381== by 0x477723: do_one_cmd (ex_docmd.c:2908) ==14381== by 0x477723: do_cmdline (ex_docmd.c:1071) ==14381== by 0x46AFEB: do_source (ex_cmds2.c:4355) ==14381== by 0x46BB2B: cmd_source (ex_cmds2.c:3968) ==14381== by 0x477723: do_one_cmd (ex_docmd.c:2908) ==14381== by 0x477723: do_cmdline (ex_docmd.c:1071) ==14381== by 0x5F44F0: exe_commands (main.c:2955) ==14381== by 0x5F44F0: vim_main2 (main.c:800) ==14381== by 0x413E41: main (main.c:429) ==14381== Block was alloc'd at ==14381== at 0x4C2DBF6: malloc (vg_replace_malloc.c:299) ==14381== by 0x4D4DE0: lalloc (misc2.c:954) ==14381== by 0x4D582D: alloc (misc2.c:852) ==14381== by 0x4D582D: vim_strsave (misc2.c:1291) ==14381== by 0x50037D: set_string_option_global (option.c:5901) ==14381== by 0x5045F1: set_string_option_direct (option.c:5865) ==14381== by 0x5048B3: set_option_default (option.c:3746) ==14381== by 0x50496B: set_options_default (option.c:3822) ==14381== by 0x50FA2C: set_init_1 (option.c:3520) ==14381== by 0x5F2F65: common_init (main.c:1027) ==14381== by 0x41374B: main (main.c:173) ...snip many other errors after that... Sorry, no patch, not sure how to fix it. Regards Dominique -- -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php --- You received this message because you are subscribed to the Google Groups "vim_dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
