#336 vim parser access to freed memory

closed-works-for-me
None
5
2012-10-23
2012-07-25
Hideki IWAMOTO
No

While processing gtags.vim script included in ftp://ftp.gnu.org/pub/gnu/global/global-6.2.4.tar.gz,
vim parser access to memory freed by realloc.

ctags version: 5.8 and SVN trunk

==== How to reproduce using Electric Fence == ==
$ env EF_ALLOW_MALLOC_0=1 EF_PROTECT_FREE=1 ef ./dctags gtags.vim

Electric Fence 2.2.0 Copyright (C) 1987-1999 Bruce Perens <bruce@perens.com>
/usr/bin/ef: line 20: 14512 Segmentation fault (core dumped) ( export LD_PRELOAD=libefence.so.0.0; exec $* )
$ gdb -q dctags core.14512
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `./dctags gtags.vim'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/lib64/libefence.so.0.0...done.
Loaded symbols for /usr/lib64/libefence.so.0.0
Reading symbols from /lib64/libc.so.6...done.
Loaded symbols for /lib64/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
#0 0x000000000042f14c in parseVimLine (
line=0x2aaaadb40f80 " let l:cmd = s:global_command . ' ' . l:option . 'e ' . g:Gtags_Shell_Quote_Char . a:pattern . g:Gtags_Shell_Quote_Char ") at vim.c:612
612 if (strncmp ((const char*) line, "aug", (size_t) 3) == 0)

==== How to reproduce using Valgrind == ==
$ valgrind -q ./dctags gtags.vim
==14555== Invalid read of size 1
==14555== at 0x42F14C: parseVimLine (vim.c:612)
==14555== by 0x42F1E1: parseVimFile (vim.c:631)
==14555== by 0x42F395: findVimTags (vim.c:726)
==14555== by 0x420F8F: createTagsForFile (parse.c:617)
==14555== by 0x42103F: createTagsWithFallback (parse.c:639)
==14555== by 0x421109: parseFile (parse.c:666)
==14555== by 0x418232: createTagsForEntry (main.c:303)
==14555== by 0x41826E: createTagsForArgs (main.c:348)
==14555== by 0x418825: makeTags (main.c:494)
==14555== by 0x4189C4: main (main.c:562)
==14555== Address 0x4ae4700 is 0 bytes inside a block of size 128 free'd
==14555== at 0x4906828: realloc (vg_replace_malloc.c:476)
==14555== by 0x424F70: eRealloc (routines.c:263)
==14555== by 0x42F470: vStringResize (vstring.c:36)
==14555== by 0x42F4CD: vStringAutoResize (vstring.c:54)
==14555== by 0x42F5CF: vStringPut (vstring.c:93)
==14555== by 0x42484C: iFileGetLine (read.c:396)
==14555== by 0x4249D2: fileReadLine (read.c:468)
==14555== by 0x42E328: readVimLine (vim.c:217)
==14555== by 0x42E5D7: parseFunction (vim.c:284)
==14555== by 0x42F11A: parseVimLine (vim.c:609)
==14555== by 0x42F1E1: parseVimFile (vim.c:631)
==14555== by 0x42F395: findVimTags (vim.c:726)
==14555==
==14555== Invalid read of size 1
==14555== at 0x42F1A1: parseVimLine (vim.c:617)
==14555== by 0x42F1E1: parseVimFile (vim.c:631)
==14555== by 0x42F395: findVimTags (vim.c:726)
==14555== by 0x420F8F: createTagsForFile (parse.c:617)
==14555== by 0x42103F: createTagsWithFallback (parse.c:639)
==14555== by 0x421109: parseFile (parse.c:666)
==14555== by 0x418232: createTagsForEntry (main.c:303)
==14555== by 0x41826E: createTagsForArgs (main.c:348)
==14555== by 0x418825: makeTags (main.c:494)
==14555== by 0x4189C4: main (main.c:562)
==14555== Address 0x4ae4700 is 0 bytes inside a block of size 128 free'd
==14555== at 0x4906828: realloc (vg_replace_malloc.c:476)
==14555== by 0x424F70: eRealloc (routines.c:263)
==14555== by 0x42F470: vStringResize (vstring.c:36)
==14555== by 0x42F4CD: vStringAutoResize (vstring.c:54)
==14555== by 0x42F5CF: vStringPut (vstring.c:93)
==14555== by 0x42484C: iFileGetLine (read.c:396)
==14555== by 0x4249D2: fileReadLine (read.c:468)
==14555== by 0x42E328: readVimLine (vim.c:217)
==14555== by 0x42E5D7: parseFunction (vim.c:284)
==14555== by 0x42F11A: parseVimLine (vim.c:609)
==14555== by 0x42F1E1: parseVimFile (vim.c:631)
==14555== by 0x42F395: findVimTags (vim.c:726)
==14555==

Discussion

  • Hideki IWAMOTO
    Hideki IWAMOTO
    2012-07-25

    • assigned_to: nobody --> dfishburn
     
  • David Fishburn
    David Fishburn
    2012-10-23

    I tried it on Windows 7 64-bit using current SVN trunk as of 2012/10/23 and it generated tags successfully.

     
  • David Fishburn
    David Fishburn
    2012-10-23

    • status: open --> closed-works-for-me
     
  • David Fishburn
    David Fishburn
    2012-10-23

    Added 3548393.vim which was the source file for the trunk crash which I
    could not reproduce and I do not have valgrind.