Dominique wrote:
> The following script found by afl-fuzz causes
> vim-8.0.1213 (huge) and older to access free
> memory when built with -DEXITFREE:
>
> $ cat bug.vim
> tabedit
> sp X
> sp
> au WinLeave X tabnext
> close
> qa
>
> $ valgrind --num-callers=30 vim -u NONE -S bug.vim 2> vg.log
>
> And vg.log contains:
>
> ==14381== Memcheck, a memory error detector
> ==14381== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
> ==14381== Using Valgrind-3.14.0.GIT and LibVEX; rerun with -h for copyright
> info
> ==14381== Command: vim -u NONE -S bug.vim
> ==14381==
> ==14381== Invalid read of size 1
> ==14381== at 0x4C30A12: strlen (vg_replace_strmem.c:458)
> ==14381== by 0x4D581D: vim_strsave (misc2.c:1290)
> ==14381== by 0x50AEE6: buf_copy_options (option.c:11083)
> ==14381== by 0x5B09A9: win_enter_ext (window.c:4392)
> ==14381== by 0x5B0C58: enter_tabpage (window.c:3912)
> ==14381== by 0x5B4266: close_last_window_tabpage.part.20 (window.c:2239)
> ==14381== by 0x5B4729: close_last_window_tabpage (window.c:2364)
> ==14381== by 0x5B4729: win_close (window.c:2311)
> ==14381== by 0x46E2E8: ex_win_close (ex_docmd.c:7418)
> ==14381== by 0x473D3F: tabpage_close (ex_docmd.c:7622)
> ==14381== by 0x5B6221: win_free_all (window.c:2599)
> ==14381== by 0x4D8F3B: free_all_mem (misc2.c:1197)
> ==14381== by 0x512F08: mch_exit (os_unix.c:3371)
> ==14381== by 0x5F27EA: getout (main.c:1544)
> ==14381== by 0x470A61: ex_quit_all (ex_docmd.c:7320)
> ==14381== by 0x477723: do_one_cmd (ex_docmd.c:2908)
> ==14381== by 0x477723: do_cmdline (ex_docmd.c:1071)
> ==14381== by 0x46AFEB: do_source (ex_cmds2.c:4355)
> ==14381== by 0x46BB2B: cmd_source (ex_cmds2.c:3968)
> ==14381== by 0x477723: do_one_cmd (ex_docmd.c:2908)
> ==14381== by 0x477723: do_cmdline (ex_docmd.c:1071)
> ==14381== by 0x5F44F0: exe_commands (main.c:2955)
> ==14381== by 0x5F44F0: vim_main2 (main.c:800)
> ==14381== by 0x413E41: main (main.c:429)
> ==14381== Address 0x10db57d0 is 0 bytes inside a block of size 12 free'd
> ==14381== at 0x4C2ECF0: free (vg_replace_malloc.c:530)
> ==14381== by 0x5030A9: free_string_option (option.c:5715)
> ==14381== by 0x5030A9: free_all_options (option.c:3892)
> ==14381== by 0x4D8E11: free_all_mem (misc2.c:1138)
> ==14381== by 0x512F08: mch_exit (os_unix.c:3371)
> ==14381== by 0x5F27EA: getout (main.c:1544)
> ==14381== by 0x470A61: ex_quit_all (ex_docmd.c:7320)
> ==14381== by 0x477723: do_one_cmd (ex_docmd.c:2908)
> ==14381== by 0x477723: do_cmdline (ex_docmd.c:1071)
> ==14381== by 0x46AFEB: do_source (ex_cmds2.c:4355)
> ==14381== by 0x46BB2B: cmd_source (ex_cmds2.c:3968)
> ==14381== by 0x477723: do_one_cmd (ex_docmd.c:2908)
> ==14381== by 0x477723: do_cmdline (ex_docmd.c:1071)
> ==14381== by 0x5F44F0: exe_commands (main.c:2955)
> ==14381== by 0x5F44F0: vim_main2 (main.c:800)
> ==14381== by 0x413E41: main (main.c:429)
> ==14381== Block was alloc'd at
> ==14381== at 0x4C2DBF6: malloc (vg_replace_malloc.c:299)
> ==14381== by 0x4D4DE0: lalloc (misc2.c:954)
> ==14381== by 0x4D582D: alloc (misc2.c:852)
> ==14381== by 0x4D582D: vim_strsave (misc2.c:1291)
> ==14381== by 0x50037D: set_string_option_global (option.c:5901)
> ==14381== by 0x5045F1: set_string_option_direct (option.c:5865)
> ==14381== by 0x5048B3: set_option_default (option.c:3746)
> ==14381== by 0x50496B: set_options_default (option.c:3822)
> ==14381== by 0x50FA2C: set_init_1 (option.c:3520)
> ==14381== by 0x5F2F65: common_init (main.c:1027)
> ==14381== by 0x41374B: main (main.c:173)
> ...snip many other errors after that...
>
> Sorry, no patch, not sure how to fix it.
Thanks. Quite a tricky script.
Freeing options later helps. But uncovers another problem.
Skipping redraw when exiting appears to fix that one.
I'll make a patch.
--
ARTHUR: You fight with the strength of many men, Sir knight.
I am Arthur, King of the Britons. [pause]
I seek the finest and the bravest knights in the land to join me
in my Court of Camelot. [pause]
You have proved yourself worthy; will you join me? [pause]
You make me sad. So be it. Come, Patsy.
BLACK KNIGHT: None shall pass.
The Quest for the Holy Grail (Monty Python)
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
