Distributor ID: Debian
Description: Debian GNU/Linux bookworm/sid
I checked against the master branch as of 09/25 at commit6ee7b521fa7531ef356ececc8be7575c3800f872 .
Heap BoF in the file /src/message.c
in the function trunc_string() at line 356.
buf[e - 1] = NUL;
./vim -u NONE -i NONE -n -m -X -Z -e -s -S crash2 -c :qa!
=================================================================
==3763035==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e000002342 at pc 0x55555636086b bp 0x7fffffffb5f0 sp 0x7fffffffb5e8
WRITE of size 1 at 0x61e000002342 thread T0
#0 0x55555636086a in trunc_string /path/vim/src/message.c:356:13
#1 0x55555635f1f7 in msg_strtrunc /path/vim/src/message.c:232:3
#2 0x555555e02509 in vgr_display_fname /path/vim/src/quickfix.c:5969:9
#3 0x555555de5ab3 in vgr_process_files /path/vim/src/quickfix.c:6336:6
#4 0x555555ddf817 in ex_vimgrep /path/vim/src/quickfix.c:6496:14
#5 0x555555a6b30e in do_one_cmd /path/vim/src/ex_docmd.c:2582:2
#6 0x555555a5fe25 in do_cmdline /path/vim/src/ex_docmd.c:994:17
#7 0x555555eff710 in do_source_ext /path/vim/src/scriptfile.c:1762:5
#8 0x555555efd354 in cmd_source /path/vim/src/scriptfile.c:1253:14
#9 0x555555a6b30e in do_one_cmd /path/vim/src/ex_docmd.c:2582:2
#10 0x555555a5fe25 in do_cmdline /path/vim/src/ex_docmd.c:994:17
#11 0x555556351589 in exe_commands /path/vim/src/main.c:3173:2
#12 0x55555634ed7e in vim_main2 /path/vim/src/main.c:790:2
#13 0x555556347e3e in main /path/vim/src/main.c:441:12
#14 0x7ffff7a501c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#15 0x7ffff7a50284 in __libc_start_main csu/../csu/libc-start.c:360:3
#16 0x5555557517f0 in _start (/path/vim/fuzzfuzzfuzzfuzz/vim+0x1fd7f0) (BuildId: 68639e4c086c1f4c9dcfcca8bf0579fea932e525)
0x61e000002342 is located 0 bytes to the right of 2754-byte region [0x61e000001880,0x61e000002342)
allocated by thread T0 here:
#0 0x5555557d463e in malloc (/path/vim/fuzzfuzzfuzzfuzz/vim+0x28063e) (BuildId: 68639e4c086c1f4c9dcfcca8bf0579fea932e525)
#1 0x55555580f7f7 in lalloc /path/vim/src/alloc.c:246:11
SUMMARY: AddressSanitizer: heap-buffer-overflow /path/vim/src/message.c:356:13 in trunc_string
Shadow bytes around the buggy address:
0x0c3c7fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3c7fff8460: 00 00 00 00 00 00 00 00[02]fa fa fa fa fa fa fa
0x0c3c7fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff8490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff84a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7fff84b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3763035==ABORTING