[patch] fixed crash in hardcopy_line()

[Dominique Pellé]

Hi

The attached file "crash.vim" causes
vim-8.1.55 and older to crash:

$ vim --clean -S crash.vim
Vim: Caught deadly signal SEGV
Vim: preserving files...
Segmentation fault (core dump)

(gdb) bt
#0  mch_print_text_out (p=0x0, p@entry=0x555555c1d3ce "\377",
len=<optimized out>, len@entry=1) at hardcopy.c:3535
#1  0x00005555556254ab in hardcopy_line (ppos=<synthetic pointer>,
page_line=0, psettings=0x7fffffffc8f0) at hardcopy.c:942
#2  ex_hardcopy (eap=0x7fffffffcb60) at hardcopy.c:778
#3  0x00005555555ecbc2 in do_one_cmd (cookie=0x7fffffffd270,
fgetline=0x5555555df850 <getsourceline>, cstack=0x7fffffffcd00,
sourcing=1, cmdlinep=0x7fffffffcab0) at ex_docmd.c:2886
#4  do_cmdline (cmdline=cmdline@entry=0x555555a21bf0 "i|ha",
fgetline=fgetline@entry=0x5555555df850 <getsourceline>,
cookie=cookie@entry=0x7fffffffd270, flags=flags@entry=7) at
ex_docmd.c:1040
#5  0x00005555555dfe37 in do_source (fname=fname@entry=0x555555c1d493
"/home/pel/crash.vim", check_other=check_other@entry=0,
is_vimrc=is_vimrc@entry=0) at ex_cmds2.c:4572
#6  0x00005555555e0a61 in cmd_source (fname=0x555555c1d493
"/home/pel/crash.vim", eap=<optimized out>) at ex_cmds2.c:4187
#7  0x00005555555ecbc2 in do_one_cmd (cookie=0x0, fgetline=0x0,
cstack=0x7fffffffd700, sourcing=1, cmdlinep=0x7fffffffd4b0) at
ex_docmd.c:2886
#8  do_cmdline (cmdline=<optimized out>, fgetline=<optimized out>,
cookie=<optimized out>, flags=<optimized out>) at ex_docmd.c:1040
#9  0x0000555555766bd0 in exe_commands (parmp=0x555555a0e3c0 <params>)
at main.c:2937
#10 vim_main2 () at main.c:812
#11 0x0000555555585b0d in main (argc=<optimized out>, argv=<optimized
out>) at main.c:443

(gdb) p p
$2 = (char_u *) 0x0

Doing a bisection, I found that it's a
regression introduced by patch 8.0.1503
which removed a check for string_convert(...)
returning  NULL.

Attached patch fixes it.

I did not write a test as I did not see how
to automate it.

Bug was found by fuzzing vim with afl-fuzz.

Regards
Dominique

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

crash.vim
Description: Binary data

diff --git a/src/hardcopy.c b/src/hardcopy.c
index 91f62c39f..309a28276 100644
--- a/src/hardcopy.c
+++ b/src/hardcopy.c
@@ -3508,8 +3508,15 @@ mch_print_text_out(char_u *p, int len UNUSED)
 
 #ifdef FEAT_MBYTE
     if (prt_do_conv)
+    {
 	/* Convert from multi-byte to 8-bit encoding */
 	tofree = p = string_convert(&prt_conv, p, &len);
+	if (p == NULL)
+	{
+	    p = (char_u *)"";
+	    len = 0;
+	}
+    }
 
     if (prt_out_mbyte)
     {