NULL Pointer Dereference in function sug_filltree at vim/src/spellfile.c:5600.
git log
commit 4875d6ab068f09df88d24d81de40dcd8d56e243d (grafted, HEAD -> master, tag: v9.0.0224, origin/master, origin/HEAD)
./vim -u NONE -X -Z -e -s -S /home/fuzz/test/poc2_null.dat -c :qa!
Segmentation fault (core dumped)
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x0000555555b9f3f0 in sug_filltree (spin=0x7fffffff95c0, slang=0x62100001f500) at spellfile.c:5600
5600 if (curi[depth] > byts[arridx[depth]])
[ Legend: Modified register | Code | Heap | Stack | String ]
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā registers āāāā
$rax : 0x0
$rbx : 0x007fffffff93b0 ā 0x007fffffff9950 ā 0x007fffffff99a0 ā 0x0000000041b58ab3
$rcx : 0x0
$rdx : 0x0
$rsp : 0x007fffffff8340 ā 0x0062100001f500 ā 0x0000000000000000
$rbp : 0x007fffffff93d0 ā 0x007fffffff9410 ā 0x007fffffff9970 ā 0x007fffffff9a40 ā 0x007fffffff9db0 ā 0x007fffffffa6b0 ā 0x007fffffffa6d0 ā 0x007fffffffa880
$rsi : 0x1
$rdi : 0x0
$rip : 0x00555555b9f3f0 ā <sug_filltree+1115> movzx eax, BYTE PTR [rcx]
$r8 : 0x0
$r9 : 0x000c507fff9020 ā 0x0000000000000000
$r10 : 0x0
$r11 : 0x108
$r12 : 0x000ffffffff06e ā 0x0000000000000000
$r13 : 0x007fffffff8370 ā 0x0000000041b58ab3
$r14 : 0x007fffffff8370 ā 0x0000000041b58ab3
$r15 : 0x007fffffff9ae0 ā 0x0000000041b58ab3
$eflags: [ZERO carry PARITY adjust sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x33 $ss: 0x2b $ds: 0x00 $es: 0x00 $fs: 0x00 $gs: 0x00
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā stack āāāā
0x007fffffff8340ā+0x0000: 0x0062100001f500 ā 0x0000000000000000 ā $rsp
0x007fffffff8348ā+0x0008: 0x007fffffff95c0 ā 0x00628000008110 ā 0x0000000000000000
0x007fffffff8350ā+0x0010: 0xffffffff00000000
0x007fffffff8358ā+0x0018: 0x0000000000000000
0x007fffffff8360ā+0x0020: 0x0000000000000000
0x007fffffff8368ā+0x0028: 0x0000000000000000
0x007fffffff8370ā+0x0030: 0x0000000041b58ab3 ā $r13, $r14
0x007fffffff8378ā+0x0038: 0x00555555eaeaa0 ā "5 32 1016 11 arridx:5569 1184 1016 9 curi:5570 233[...]"
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā code:x86:64 āāāā
0x555555b9f3e6 <sug_filltree+1105> je 0x555555b9f3f0 <sug_filltree+1115>
0x555555b9f3e8 <sug_filltree+1107> mov rdi, rax
0x555555b9f3eb <sug_filltree+1110> call 0x55555568dba0 <__asan_report_load1@plt>
ā 0x555555b9f3f0 <sug_filltree+1115> movzx eax, BYTE PTR [rcx]
0x555555b9f3f3 <sug_filltree+1118> movzx eax, al
0x555555b9f3f6 <sug_filltree+1121> cmp esi, eax
0x555555b9f3f8 <sug_filltree+1123> jle 0x555555b9f599 <sug_filltree+1540>
0x555555b9f3fe <sug_filltree+1129> mov eax, DWORD PTR [rbp-0x1080]
0x555555b9f404 <sug_filltree+1135> cdqe
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā source:spellfile.c+5600 āāāā
5595 wordcount[0] = 0;
5596
5597 depth = 0;
5598 while (depth >= 0 && !got_int)
5599 {
// byts=0x007fffffff8360 ā 0x0000000000000000, depth=0x0, arridx=0x007fffffff8390 ā 0x0000000000000000, curi=0x007fffffff8810 ā 0x0000000000000001
ā 5600 if (curi[depth] > byts[arridx[depth]])
5601 {
5602 // Done all bytes at this node, go up one level.
5603 idxs[arridx[depth]] = wordcount[depth];
5604 if (depth > 0)
5605 wordcount[depth - 1] += wordcount[depth];
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā threads āāāā
[#0] Id 1, Name: "vim", stopped 0x555555b9f3f0 in sug_filltree (), reason: SIGSEGV
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā trace āāāā
[#0] 0x555555b9f3f0 ā sug_filltree(spin=0x7fffffff95c0, slang=0x62100001f500)
[#1] 0x555555b9ed48 ā spell_make_sugfile(spin=0x7fffffff95c0, wfname=0x621000017d00 "Xtest.utf-8.spl")
[#2] 0x555555ba2799 ā mkspell(fcount=0x1, fnames=0x611000000400, ascii=0x0, over_write=0x1, added_word=0x0)
[#3] 0x555555b9ea0c ā ex_mkspell(eap=0x7fffffff9b30)
[#4] 0x555555817454 ā do_one_cmd(cmdlinep=0x7fffffff9e90, flags=0xb, cstack=0x7fffffff9fb0, fgetline=0x0, cookie=0x0)
[#5] 0x55555580e6f7 ā do_cmdline(cmdline=0x602000006050 "mksp! Xtest", fgetline=0x0, cookie=0x0, flags=0xb)
[#6] 0x55555580ca91 ā do_cmdline_cmd(cmd=0x602000006050 "mksp! Xtest")
[#7] 0x5555557b2730 ā execute_common(argvars=0x7fffffffadd0, rettv=0x7fffffffc0c0, arg_off=0x0)
[#8] 0x5555557b2cc2 ā f_execute(argvars=0x7fffffffadd0, rettv=0x7fffffffc0c0)
[#9] 0x5555557ad280 ā call_internal_func(name=0x602000006070 "execute", argcount=0x1, argvars=0x7fffffffadd0, rettv=0x7fffffffc0c0)
āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
poc download: <p><a href=āhttps://github.com/Janette88/vim/blob/main/poc2_null.datā>poc2_null.dat</a></p>