Hi,
On Mon, Dec 18, 2017 at 8:54 AM, Dominique Pellé
<[email protected]> wrote:
> afl-fuzz found a case where free memory is used in
> quickfix and which results in a crash.
>
Thanks for reporting the crash. I have simplified the test function:
func X()
call setloclist(0, [], 'a', {'context' : []})
lopen | only
call test_garbagecollect_now()
echo getloclist(0, {'context' : 1}).context
endfunc
call X()
The code that marks the context as in use is not handling the case
where a location list is only attached to the location list window
and not to a regular window. Will try to send a fix later.
Regards,
Yegappan
>
> It happens with the latest vim-8.0.1404 and older.
>
> Steps to reproduce:
>
> $ cat use-free-mem-quickfix.vim
> func X(c)
> wincmd p
> call setloclist(0, [])
> lopen
> if a:c == 'c'
> copen|cclose
> endif
> call setloclist(0, [], 'a', {'context':[]})
> call test_garbagecollect_now()
> call setloclist(0, [], 'f')
> endfunc
> call X('c')
> call X('l')
>
> $ ./vim -u NONE -S use-free-mem-quickfix.vim -c qa
> Vim: Caught deadly signal SEGV
> Vim: Finished.
> Segmentation fault (core dumped)
>
> $ valgrind --num-callers=50 ./vim -u NONE -e -s -S use-free-mem-quickfix.vim
> -c qa
> ==11633== Memcheck, a memory error detector
> ==11633== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
> ==11633== Using Valgrind-3.14.0.GIT and LibVEX; rerun with -h for copyright
> info
> ==11633== Command: ./vim -u NONE -e -s -S use-free-mem-quickfix.vim -c qa
> ==11633==
> ==11633== Invalid read of size 4
> ==11633== at 0x4AF71C: list_unref (list.c:124)
> ==11633== by 0x432685: free_tv (eval.c:7080)
> ==11633== by 0x5214E2: qf_free (quickfix.c:2965)
> ==11633== by 0x5214E2: qf_free_stack (quickfix.c:5340)
> ==11633== by 0x5214E2: set_errorlist (quickfix.c:5405)
> ==11633== by 0x44F14B: set_qf_ll_list (evalfunc.c:10299)
> ==11633== by 0x43FDA6: call_internal_func (evalfunc.c:1020)
> ==11633== by 0x5CB7E5: call_func (userfunc.c:1446)
> ==11633== by 0x5CB339: get_func_tv (userfunc.c:455)
> ==11633== by 0x5CF9D9: ex_call (userfunc.c:3082)
> ==11633== by 0x468ABC: do_one_cmd (ex_docmd.c:2908)
> ==11633== by 0x464D3D: do_cmdline (ex_docmd.c:1071)
> ==11633== by 0x5CC0B5: call_user_func (userfunc.c:942)
> ==11633== by 0x5CC0B5: call_func (userfunc.c:1427)
> ==11633== by 0x5CB339: get_func_tv (userfunc.c:455)
> ==11633== by 0x5CF9D9: ex_call (userfunc.c:3082)
> ==11633== by 0x468ABC: do_one_cmd (ex_docmd.c:2908)
> ==11633== by 0x464D3D: do_cmdline (ex_docmd.c:1071)
> ==11633== by 0x462CE3: do_source (ex_cmds2.c:4411)
> ==11633== by 0x462123: cmd_source (ex_cmds2.c:4024)
> ==11633== by 0x468ABC: do_one_cmd (ex_docmd.c:2908)
> ==11633== by 0x464D3D: do_cmdline (ex_docmd.c:1071)
> ==11633== by 0x62597C: exe_commands (main.c:2953)
> ==11633== by 0x62597C: vim_main2 (main.c:800)
> ==11633== by 0x624524: main (main.c:429)
> ==11633== Address 0xcdc4fb0 is 16 bytes inside a block of size 88 free'd
> ==11633== at 0x4C2ECF0: free (vg_replace_malloc.c:530)
> ==11633== by 0x4AF8FF: list_free_list (list.c:181)
> ==11633== by 0x4AF8FF: list_free_items (list.c:198)
> ==11633== by 0x437BC7: free_unref_items (eval.c:5458)
> ==11633== by 0x437BC7: garbage_collect (eval.c:5404)
> ==11633== by 0x43FDA6: call_internal_func (evalfunc.c:1020)
> ==11633== by 0x5CB7E5: call_func (userfunc.c:1446)
> ==11633== by 0x5CB339: get_func_tv (userfunc.c:455)
> ==11633== by 0x5CF9D9: ex_call (userfunc.c:3082)
> ==11633== by 0x468ABC: do_one_cmd (ex_docmd.c:2908)
> ==11633== by 0x464D3D: do_cmdline (ex_docmd.c:1071)
> ==11633== by 0x5CC0B5: call_user_func (userfunc.c:942)
> ==11633== by 0x5CC0B5: call_func (userfunc.c:1427)
> ==11633== by 0x5CB339: get_func_tv (userfunc.c:455)
> ==11633== by 0x5CF9D9: ex_call (userfunc.c:3082)
> ==11633== by 0x468ABC: do_one_cmd (ex_docmd.c:2908)
> ==11633== by 0x464D3D: do_cmdline (ex_docmd.c:1071)
> ==11633== by 0x462CE3: do_source (ex_cmds2.c:4411)
> ==11633== by 0x462123: cmd_source (ex_cmds2.c:4024)
> ==11633== by 0x468ABC: do_one_cmd (ex_docmd.c:2908)
> ==11633== by 0x464D3D: do_cmdline (ex_docmd.c:1071)
> ==11633== by 0x62597C: exe_commands (main.c:2953)
> ==11633== by 0x62597C: vim_main2 (main.c:800)
> ==11633== by 0x624524: main (main.c:429)
> ==11633== Block was alloc'd at
> ==11633== at 0x4C2DBF6: malloc (vg_replace_malloc.c:299)
> ==11633== by 0x4D4E87: lalloc (misc2.c:954)
> ==11633== by 0x4D4FE3: alloc_clear (misc2.c:876)
> ==11633== by 0x4B0A36: list_alloc (list.c:75)
> ==11633== by 0x4B0A36: get_list_tv (list.c:844)
> ==11633== by 0x43EF84: eval7 (eval.c:4310)
> ==11633== by 0x43EA82: eval6 (eval.c:4037)
> ==11633== by 0x43E782: eval5 (eval.c:3853)
> ==11633== by 0x43DFEE: eval4 (eval.c:3552)
> ==11633== by 0x43DEB4: eval3 (eval.c:3469)
> ==11633== by 0x4342D5: eval2 (eval.c:3401)
> ==11633== by 0x4342D5: eval1 (eval.c:3329)
> ==11633== by 0x41B71F: get_dict_tv (dict.c:622)
> ==11633== by 0x43EFB2: eval7 (eval.c:4319)
> ==11633== by 0x43EA82: eval6 (eval.c:4037)
> ==11633== by 0x43E782: eval5 (eval.c:3853)
> ==11633== by 0x43DFEE: eval4 (eval.c:3552)
> ==11633== by 0x43DEB4: eval3 (eval.c:3469)
> ==11633== by 0x4342D5: eval2 (eval.c:3401)
> ==11633== by 0x4342D5: eval1 (eval.c:3329)
> ==11633== by 0x5CB23D: get_func_tv (userfunc.c:425)
> ==11633== by 0x5CF9D9: ex_call (userfunc.c:3082)
> ==11633== by 0x468ABC: do_one_cmd (ex_docmd.c:2908)
> ==11633== by 0x464D3D: do_cmdline (ex_docmd.c:1071)
> ==11633== by 0x5CC0B5: call_user_func (userfunc.c:942)
> ==11633== by 0x5CC0B5: call_func (userfunc.c:1427)
> ==11633== by 0x5CB339: get_func_tv (userfunc.c:455)
> ==11633== by 0x5CF9D9: ex_call (userfunc.c:3082)
> ==11633== by 0x468ABC: do_one_cmd (ex_docmd.c:2908)
> ==11633== by 0x464D3D: do_cmdline (ex_docmd.c:1071)
> ==11633== by 0x462CE3: do_source (ex_cmds2.c:4411)
> ==11633== by 0x462123: cmd_source (ex_cmds2.c:4024)
> ==11633== by 0x468ABC: do_one_cmd (ex_docmd.c:2908)
> ==11633== by 0x464D3D: do_cmdline (ex_docmd.c:1071)
> ==11633== by 0x62597C: exe_commands (main.c:2953)
> ==11633== by 0x62597C: vim_main2 (main.c:800)
> ==11633== by 0x624524: main (main.c:429)
> (more errors after that)
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
>
> --
> --
> You received this message from the "vim_dev" maillist.
> Do not top-post! Type your reply below the text you are replying to.
> For more information, visit http://www.vim.org/maillist.php
>
> ---
> You received this message because you are subscribed to the Google Groups
> "vim_dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
