[vim/vim] Calling test_null_function() causes a crash (#8367)

3 views
Skip to first unread message

naohiro ono

unread,
Jun 11, 2021, 8:14:08 PM6/11/21
to vim/vim, Subscribed

Describe the bug

Callingtest_null_function() may cause a crash.

To Reproduce

$vim --clean
:call test_null_function()()
" Vim: Caught deadly signal SEGV
" Vim: Finished.

Expected behavior

Vim does not crash.

Environment

  • Vim 8.2.2973
  • macOS Catalina (version 10.15.7)
  • iTerm2


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.

Dominique Pellé

unread,
Jun 12, 2021, 2:41:31 AM6/12/21
to vim/vim, Subscribed

Calling test_null_function() may cause a crash2

I cannot reproduce this crash at least on xubuntu-18.04.5 with vim-8.2.2976.

Christian Brabandt

unread,
Jun 12, 2021, 3:15:39 AM6/12/21
to vim...@googlegroups.com, vim/vim, Subscribed
Can you provide a stack trace?

Am 12.06.2021 um 02:13 schrieb naohiro ono <notifi...@github.com>:


--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

---
You received this message because you are subscribed to the Google Groups "vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vim_dev+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vim_dev/vim/vim/issues/8367%40github.com.

naohiro ono

unread,
Jun 12, 2021, 5:24:40 AM6/12/21
to vim/vim, Subscribed

I have updated to version 8.2.2976, but I can still reproduce this crash.

Is the command you executed call test_null_function()()? There are two ()s.

Dominique Pellé

unread,
Jun 12, 2021, 5:44:35 AM6/12/21
to vim/vim, Subscribed

@obcat wrote:

Is the command you executed call test_null_function()()? There are two ()s.

Ah right, this was my mistake. Sorry.
I can now reproduce it.

Valgrind shows access to a NULL pointer:

==9322== Memcheck, a memory error detector
==9322== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. 
==9322== Using Valgrind-3.17.0.GIT and LibVEX; rerun with -h for copyright info
==9322== Command: ./vim --clean
==9322== 
==9322== Invalid read of size 1
==9322==    at 0x4C38D92: strlen (vg_replace_strmem.c:469)
==9322==    by 0x533ABC: vim_strsave (misc2.c:1279)
==9322==    by 0x627C6E: call_func (userfunc.c:3108)
==9322==    by 0x627B58: get_func_tv (userfunc.c:1617)
==9322==    by 0x49D1F2: call_func_rettv (eval.c:3787)
==9322==    by 0x49D1F2: handle_subscript (eval.c:5862)
==9322==    by 0x62E2F4: ex_call (userfunc.c:4883)
==9322==    by 0x4BE37F: do_one_cmd (ex_docmd.c:2599)
==9322==    by 0x4BE37F: do_cmdline (ex_docmd.c:1001)
==9322==    by 0x5454C0: nv_colon (normal.c:3407)
==9322==    by 0x5410B1: normal_cmd (normal.c:1100)
==9322==    by 0x6B5FC8: main_loop (main.c:0)
==9322==    by 0x6B5A7F: vim_main2 (main.c:878)
==9322==    by 0x6B48E3: main (main.c:425)
==9322==  Address 0x0 is not stack'd, malloc'd or (recently) free'd    
...snip...

This fixes it:

diff --git a/src/userfunc.c b/src/userfunc.c
index 64e815d04..dd7f2ca28 100644
--- a/src/userfunc.c
+++ b/src/userfunc.c
@@ -3099,6 +3099,9 @@ call_func(
     // even when call_func() returns FAIL.
     rettv->v_type = VAR_UNKNOWN;
 
+    if (funcname == NULL)
+       return ret;
+
     if (partial != NULL)
        fp = partial->pt_func;
     if (fp == NULL)

I'll create a PR with a test.

Bram Moolenaar

unread,
Jun 12, 2021, 6:17:31 AM6/12/21
to vim/vim, Subscribed

Closed #8367 via 22db0d5.

naohiro ono

unread,
Jun 12, 2021, 6:32:56 AM6/12/21
to vim/vim, Subscribed

Thanks for the fix!

Ah, I didn't notice that :call test_null_partial()() also makes a crash 🙈

Reply all
Reply to author
Forward
0 new messages