heap-use-after-free in function editing_arg_idx at arglist.c:516
git log
commit 54844857fd6933fa4f6678e47610c4b9c9f7a091 (HEAD -> master, tag: v9.0.2009, origin/master, origin/HEAD)
./vim -u NONE -i NONE -n -m -X -Z -e -s -S editing_arg_idx_POC_2 -c :qa!
=================================================================
==567275==ERROR: AddressSanitizer: heap-use-after-free on address 0x6250000119b8 at pc 0x56077f582b56 bp 0x7ffdb5a9d130 sp 0x7ffdb5a9d120
READ of size 4 at 0x6250000119b8 thread T0
#0 0x56077f582b55 in editing_arg_idx /home/limweicheng/Desktop/Fuzz/vim/src/arglist.c:516
#1 0x56077f582da6 in check_arg_idx /home/limweicheng/Desktop/Fuzz/vim/src/arglist.c:530
#2 0x56077f584027 in alist_check_arg_idx /home/limweicheng/Desktop/Fuzz/vim/src/arglist.c:339
#3 0x56077f584027 in do_arglist /home/limweicheng/Desktop/Fuzz/vim/src/arglist.c:494
#4 0x56077f58906e in ex_next /home/limweicheng/Desktop/Fuzz/vim/src/arglist.c:766
#5 0x56077f94acbc in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2582
#6 0x56077f94acbc in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:994
#7 0x560780032ea5 in do_source_ext /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1762
#8 0x5607800395f0 in do_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1908
#9 0x5607800395f0 in cmd_source /home/limweicheng/Desktop/Fuzz/vim/src/scriptfile.c:1253
#10 0x56077f94acbc in do_one_cmd /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:2582
#11 0x56077f94acbc in do_cmdline /home/limweicheng/Desktop/Fuzz/vim/src/ex_docmd.c:994
#12 0x5607806b58e1 in exe_commands /home/limweicheng/Desktop/Fuzz/vim/src/main.c:3173
#13 0x5607806b58e1 in vim_main2 /home/limweicheng/Desktop/Fuzz/vim/src/main.c:790
#14 0x56077f5728c5 in main /home/limweicheng/Desktop/Fuzz/vim/src/main.c:441
#15 0x7f2adb010d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#16 0x7f2adb010e3f in __libc_start_main_impl ../csu/libc-start.c:392
#17 0x56077f5795e4 in _start (/home/limweicheng/Desktop/Fuzz/vim/src/vim+0x1a45e4)
0x6250000119b8 is located 184 bytes inside of 9424-byte region [0x625000011900,0x625000013dd0)
freed by thread T0 here:
#0 0x7f2adbaaa517 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x56077f57a88f in vim_free /home/limweicheng/Desktop/Fuzz/vim/src/alloc.c:616
previously allocated by thread T0 here:
#0 0x7f2adbaaa867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x56077f579b3a in lalloc /home/limweicheng/Desktop/Fuzz/vim/src/alloc.c:246
SUMMARY: AddressSanitizer: heap-use-after-free /home/limweicheng/Desktop/Fuzz/vim/src/arglist.c:516 in editing_arg_idx
Shadow bytes around the buggy address:
0x0c4a7fffa2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffa2f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffa300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffa310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fffa320: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a7fffa330: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
0x0c4a7fffa340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffa350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffa360: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffa370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a7fffa380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==567275==ABORTING