2089Re: SEGV in msg_may_trunc()
- Dec 21, 2005Pawel S. Veselov wrote:
> VIM (6.3.85p0) on openBSD 3.8, built from /usr/ports.Strange that this has gone unnoticed so long. It's probably because it
> in message.c there is a probable SEGV in msg_may_trunc() function.
> If multibyte string is passed in, and the size of the string in characters
> is less than room, but size in bytes is more than room, the (s-1) address
> is then written to, as (n) becomes -1.
> The attached patch should help. Should work on 6.4 as well.
> What I still don't understand is how it is OK to replace some position
> in asciiz string with '>'. Does anything guarantee that the position the
> '>' is written to is not a part of a multibyte character ?
only happens when using IObuff as the buffer, which is never freed.
Then using one byte before the buffer writes in the length of the
buffer, and if you don't free it that is not causing trouble. But
of course it's bad anyway, just an explanation why we haven't seen
crashes all around.
A simpler solution is to check for "n" being negative and not doing
anything then. Like this:
RCS file: /cvsroot/vim/vim7/src/message.c,v
retrieving revision 1.32
diff -u -r1.32 message.c
--- message.c 3 Oct 2005 21:50:54 -0000 1.32
+++ message.c 21 Dec 2005 21:40:36 -0000
@@ -727,6 +727,10 @@
size -= (*mb_ptr2cells)(s + n);
n += (*mb_ptr2len)(s + n);
+ /* there may be room anyway when there are multi-byte chars */
+ if (n == 0)
+ return s;
It might look like I'm doing nothing, but at the cellular level
I'm really quite busy.
/// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ download, build and distribute -- http://www.A-A-P.org ///
\\\ help me help AIDS victims -- http://www.ICCF.nl ///
- << Previous post in topic Next post in topic >>