[bug] use of free memory in qf_jump()

[Dominique Pellé]

Hi

afl-fuzz found this case which causes vim-8.1.59
and older to sometimes crash:

$ vim --clean -c new -c new -c 'au * * bw' -c lbuffer -cq
Vim: Caught deadly signal SEGV
Vim: Finished.
Segmentation fault (core dumped)

Valgrind says:

==7895== Memcheck, a memory error detector
==7895== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==7895== Using Valgrind-3.14.0.GIT and LibVEX; rerun with -h for copyright info
==7895== Command: ./vim --clean -c new -c new -c au\ *\ *\ bw -c lbuffer -cq
==7895==
==7895== Invalid read of size 4
==7895==    at 0x246C1F: qf_jump (quickfix.c:2909)
==7895==    by 0x1A0D01: do_one_cmd (ex_docmd.c:2886)
==7895==    by 0x1A0D01: do_cmdline (ex_docmd.c:1040)
==7895==    by 0x31AE2F: exe_commands (main.c:2937)
==7895==    by 0x31AE2F: vim_main2 (main.c:812)
==7895==    by 0x139B0C: main (main.c:443)
==7895==  Address 0x92cb898 is 8 bytes inside a block of size 1,216 free'd
==7895==    at 0x4C30CF0: free (vg_replace_malloc.c:530)
==7895==    by 0x24690B: qf_free_all (quickfix.c:1702)
==7895==    by 0x2E1BDE: win_free (window.c:4717)
==7895==    by 0x2E3633: win_free_mem (window.c:2596)
==7895==    by 0x2E3633: win_close (window.c:2441)
==7895==    by 0x145097: do_buffer (buffer.c:1432)
==7895==    by 0x1458D5: do_bufdel (buffer.c:1112)
==7895==    by 0x197A54: ex_bunload (ex_docmd.c:5532)
==7895==    by 0x1A0D01: do_one_cmd (ex_docmd.c:2886)
==7895==    by 0x1A0D01: do_cmdline (ex_docmd.c:1040)
==7895==    by 0x1BBDB0: apply_autocmds_group (fileio.c:9690)
==7895==    by 0x1BC6F3: apply_autocmds (fileio.c:9203)
==7895==    by 0x24BDA3: ex_cbuffer (quickfix.c:6275)
==7895==    by 0x1A0D01: do_one_cmd (ex_docmd.c:2886)
==7895==    by 0x1A0D01: do_cmdline (ex_docmd.c:1040)
==7895==    by 0x31AE2F: exe_commands (main.c:2937)
==7895==    by 0x31AE2F: vim_main2 (main.c:812)
==7895==    by 0x139B0C: main (main.c:443)
==7895==  Block was alloc'd at
==7895==    at 0x4C2FBF6: malloc (vg_replace_malloc.c:299)
==7895==    by 0x1FFD30: lalloc (misc2.c:976)
==7895==    by 0x2430BD: ll_new_list (quickfix.c:1816)
==7895==    by 0x243D9C: ll_get_or_alloc_list (quickfix.c:1844)
==7895==    by 0x24BAE6: ex_cbuffer (quickfix.c:6233)
==7895==    by 0x1A0D01: do_one_cmd (ex_docmd.c:2886)
==7895==    by 0x1A0D01: do_cmdline (ex_docmd.c:1040)
==7895==    by 0x31AE2F: exe_commands (main.c:2937)
==7895==    by 0x31AE2F: vim_main2 (main.c:812)
==7895==    by 0x139B0C: main (main.c:443)

Doing bwipe inside an autocommand is asking for
trouble, but perhaps avoid the crash anyway.

Regards
Dominique

-- 
-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

--- 
You received this message because you are subscribed to the Google Groups 
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to vim_dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.