Loading ...
Sorry, an error occurred while loading the content.

2089Re: SEGV in msg_may_trunc()

Expand Messages
  • Bram Moolenaar
    Dec 21, 2005
      Pawel S. Veselov wrote:

      > VIM (6.3.85p0) on openBSD 3.8, built from /usr/ports.
      > in message.c there is a probable SEGV in msg_may_trunc() function.
      > If multibyte string is passed in, and the size of the string in characters
      > is less than room, but size in bytes is more than room, the (s-1) address
      > is then written to, as (n) becomes -1.
      > The attached patch should help. Should work on 6.4 as well.
      > What I still don't understand is how it is OK to replace some position
      > in asciiz string with '>'. Does anything guarantee that the position the
      > '>' is written to is not a part of a multibyte character ?

      Strange that this has gone unnoticed so long. It's probably because it
      only happens when using IObuff as the buffer, which is never freed.
      Then using one byte before the buffer writes in the length of the
      buffer, and if you don't free it that is not causing trouble. But
      of course it's bad anyway, just an explanation why we haven't seen
      crashes all around.

      A simpler solution is to check for "n" being negative and not doing
      anything then. Like this:

      Index: message.c
      RCS file: /cvsroot/vim/vim7/src/message.c,v
      retrieving revision 1.32
      diff -u -r1.32 message.c
      --- message.c 3 Oct 2005 21:50:54 -0000 1.32
      +++ message.c 21 Dec 2005 21:40:36 -0000
      @@ -727,6 +727,10 @@
      size -= (*mb_ptr2cells)(s + n);
      n += (*mb_ptr2len)(s + n);
      + /* there may be room anyway when there are multi-byte chars */
      + if (n == 0)
      + return s;

      It might look like I'm doing nothing, but at the cellular level
      I'm really quite busy.

      /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
      /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
      \\\ download, build and distribute -- http://www.A-A-P.org ///
      \\\ help me help AIDS victims -- http://www.ICCF.nl ///
    • Show all 5 messages in this topic