Re: Vim7's buffer overrun on win32
- Taro Muraoka wrote:
> I'm trying to use vim7 (cvs ver.) debug-msvc7 build on Win32. I noticedThanks for locating the cause of this problem.
> below command to start-up makes crash.
> > .\src\gvimd -u NONE -U NONE --cmd "set enc=utf-8"
> I traced this problem and found a reason. In function acp_to_enc(),
> ucs2_to_enc() returns allocated buffer which size is just string (not
> include NUL). Then look at vim_getenv(), caller of acp_to_enc(), writes
> NUL at out of the buffer (end of the string). It make runtime exception
> when the vim_free() is called about the buffer.
> I wrote attached patch fix this. But I don't know it is right position
> to fix. Please check it.
I rather solve this in acp_to_enc() by incrementing "*outlen".
MultiByteToWideChar_alloc() does add a terminating NUL, but it isn't
counted in the length. ucs2_to_enc() needs to be told to convert the
terminating NUL as well.
In vim_getenv() the line that adds a NUL must be removed. acp_to_enc()
already adds the NUL, as the comment above the function mentions.
PRINCE: He's come to rescue me, father.
LAUNCELOT: (embarrassed) Well, let's not jump to conclusions ...
"Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD
/// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
/// Sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ Project leader for A-A-P -- http://www.A-A-P.org ///
\\\ Buy LOTR 3 and help AIDS victims -- http://ICCF.nl/lotr.html ///