2088SEGV in msg_may_trunc()
- Dec 21 8:39 AMHi,
VIM (6.3.85p0) on openBSD 3.8, built from /usr/ports.
in message.c there is a probable SEGV in msg_may_trunc() function.
If multibyte string is passed in, and the size of the string in characters
is less than room, but size in bytes is more than room, the (s-1) address
is then written to, as (n) becomes -1.
The attached patch should help. Should work on 6.4 as well.
What I still don't understand is how it is OK to replace some position
in asciiz string with '>'. Does anything guarantee that the position the
'>' is written to is not a part of a multibyte character ?
Pawel S. Veselov [vps], Sun Microsystems, Inc.
Staff Engineer, Java Mobile Systems and Services Engineering __ __(O) _ __
(408) 276-5410 e-mail: Pawel.Veselov@... \ V /| || ' \
fax(408) 276-6090 HomePage: http://manticore.2y.net \_/ |_||_|_|_|
- Next post in topic >>