Loading ...
Sorry, an error occurred while loading the content.
 

[patch] fixed access to freed memory in "set guifont=*" with GUI Motif

Expand Messages
  • Dominique PellĂ©
    Hi I can reproduce the following error (access to freed memory) with Vim-7.2.315 (Motif GUI): ==31168== Invalid read of size 4 ==31168== at 0x484BDE7:
    Message 1 of 2 , Dec 6, 2009
      Hi

      I can reproduce the following error (access to freed memory)
      with Vim-7.2.315 (Motif GUI):

      ==31168== Invalid read of size 4
      ==31168== at 0x484BDE7: XtDisplay (in /usr/lib/libXt.so.6.0.0)
      ==31168== by 0x81EDAF9: gui_mch_init_font (gui_x11.c:1853)
      ==31168== by 0x81E0324: gui_init_font (gui.c:715)
      ==31168== by 0x815C376: did_set_string_option (option.c:6116)
      ==31168== by 0x8159DBC: do_set (option.c:4679)
      ==31168== by 0x80D12B7: ex_set (ex_docmd.c:10983)
      ==31168== by 0x80C49D3: do_one_cmd (ex_docmd.c:2627)
      ==31168== by 0x80C22AC: do_cmdline (ex_docmd.c:1096)
      ==31168== by 0x81463F2: nv_colon (normal.c:5224)
      ==31168== by 0x813FDEF: normal_cmd (normal.c:1188)
      ==31168== by 0x8103CE4: main_loop (main.c:1204)
      ==31168== by 0x81037DB: main (main.c:948)
      ==31168== Address 0x5a77e30 is 88 bytes inside a block of size 312 free'd
      ==31168== at 0x4024B56: free (vg_replace_malloc.c:325)
      ==31168== by 0x4835E90: XtFree (in /usr/lib/libXt.so.6.0.0)
      ==31168== by 0x48408ED: ??? (in /usr/lib/libXt.so.6.0.0)
      ==31168== by 0x4840213: ??? (in /usr/lib/libXt.so.6.0.0)
      ==31168== by 0x4840377: ??? (in /usr/lib/libXt.so.6.0.0)
      ==31168== by 0x484062A: _XtDoPhase2Destroy (in /usr/lib/libXt.so.6.0.0)
      ==31168== by 0x4840791: XtDestroyWidget (in /usr/lib/libXt.so.6.0.0)
      ==31168== by 0x81F55FB: gui_xm_select_font (gui_xmdlg.c:1277)
      ==31168== by 0x81EDAF9: gui_mch_init_font (gui_x11.c:1853)
      ==31168== by 0x81E0324: gui_init_font (gui.c:715)
      ==31168== by 0x815C376: did_set_string_option (option.c:6116)
      ==31168== by 0x8159DBC: do_set (option.c:4679)
      ==31168== by 0x80D12B7: ex_set (ex_docmd.c:10983)
      ==31168== by 0x80C49D-3: do_one_cmd (ex_docmd.c:2627)
      ==31168== by 0x80C22AC: do_cmdline (ex_docmd.c:1096)
      ==31168== by 0x81463F2: nv_colon (normal.c:5224)
      ==31168== by 0x813FDEF: normal_cmd (normal.c:1188)
      ==31168== by 0x8103CE4: main_loop (main.c:1204)
      ==31168== by 0x81037DB: main (main.c:948)

      Steps to reproduce:

      1) Start Vim with Valgrind:
      $ cd vim7/src
      $ valgrind --num-callers=20 ./vim -f -g -u NONE -U NONE 2> vg.log

      2) Type Ex command:
      :set guifont=*

      3) A modal window pops up to select a font, click on the
      "Cancel" button.

      4) Observe the above Valgrind error as soon as you click on
      "Cancel".


      src/gui_xmdlg.c:

      1272 /* modal event loop */
      1273 while (!data->exit)
      1274 XtAppProcessEvent(XtWidgetToApplicationContext(data->dialog),
      1275 (XtInputMask)XtIMAll);
      1276
      1277 XtDestroyWidget(data->dialog);
      1278
      1279 if (data->old)
      1280 {
      1281 XFreeFont(XtDisplay(data->dialog), data->old);
      1282 XmFontListFree(data->old_list);
      1283 }

      data->dialog is destroyed at line gui_xmdlg.c:1277 but still
      used just below at line gui_xmdlg.c:1281.

      Attached patch fixes it.

      Stack trace reported by Valgrind is slightly incorrect
      by the way (not sure why) since XtDisplay() is called from:

      XtDisplay
      gui_xm_select_font (gui_xmdlg.c:1281)
      gui_mch_init_font (gui_x11.c:1853)

      and not from:

      XtDisplay()
      gui_mch_init_font() (gui_x11.c:1853)

      Cheers
      -- Dominique

      --
      You received this message from the "vim_dev" maillist.
      For more information, visit http://www.vim.org/maillist.php
    • Bram Moolenaar
      ... Thanks for the patch! -- Shift happens. -- Doppler /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net /// sponsor Vim, vote
      Message 2 of 2 , Dec 6, 2009
        > I can reproduce the following error (access to freed memory)
        > with Vim-7.2.315 (Motif GUI):
        >
        > ==31168== Invalid read of size 4
        > ==31168== at 0x484BDE7: XtDisplay (in /usr/lib/libXt.so.6.0.0)
        > ==31168== by 0x81EDAF9: gui_mch_init_font (gui_x11.c:1853)
        > ==31168== by 0x81E0324: gui_init_font (gui.c:715)
        > ==31168== by 0x815C376: did_set_string_option (option.c:6116)
        > ==31168== by 0x8159DBC: do_set (option.c:4679)
        > ==31168== by 0x80D12B7: ex_set (ex_docmd.c:10983)
        > ==31168== by 0x80C49D3: do_one_cmd (ex_docmd.c:2627)
        > ==31168== by 0x80C22AC: do_cmdline (ex_docmd.c:1096)
        > ==31168== by 0x81463F2: nv_colon (normal.c:5224)
        > ==31168== by 0x813FDEF: normal_cmd (normal.c:1188)
        > ==31168== by 0x8103CE4: main_loop (main.c:1204)
        > ==31168== by 0x81037DB: main (main.c:948)
        > ==31168== Address 0x5a77e30 is 88 bytes inside a block of size 312 free'd
        > ==31168== at 0x4024B56: free (vg_replace_malloc.c:325)
        > ==31168== by 0x4835E90: XtFree (in /usr/lib/libXt.so.6.0.0)
        > ==31168== by 0x48408ED: ??? (in /usr/lib/libXt.so.6.0.0)
        > ==31168== by 0x4840213: ??? (in /usr/lib/libXt.so.6.0.0)
        > ==31168== by 0x4840377: ??? (in /usr/lib/libXt.so.6.0.0)
        > ==31168== by 0x484062A: _XtDoPhase2Destroy (in /usr/lib/libXt.so.6.0.0)
        > ==31168== by 0x4840791: XtDestroyWidget (in /usr/lib/libXt.so.6.0.0)
        > ==31168== by 0x81F55FB: gui_xm_select_font (gui_xmdlg.c:1277)
        > ==31168== by 0x81EDAF9: gui_mch_init_font (gui_x11.c:1853)
        > ==31168== by 0x81E0324: gui_init_font (gui.c:715)
        > ==31168== by 0x815C376: did_set_string_option (option.c:6116)
        > ==31168== by 0x8159DBC: do_set (option.c:4679)
        > ==31168== by 0x80D12B7: ex_set (ex_docmd.c:10983)
        > ==31168== by 0x80C49D-3: do_one_cmd (ex_docmd.c:2627)
        > ==31168== by 0x80C22AC: do_cmdline (ex_docmd.c:1096)
        > ==31168== by 0x81463F2: nv_colon (normal.c:5224)
        > ==31168== by 0x813FDEF: normal_cmd (normal.c:1188)
        > ==31168== by 0x8103CE4: main_loop (main.c:1204)
        > ==31168== by 0x81037DB: main (main.c:948)
        >
        > Steps to reproduce:
        >
        > 1) Start Vim with Valgrind:
        > $ cd vim7/src
        > $ valgrind --num-callers=20 ./vim -f -g -u NONE -U NONE 2> vg.log
        >
        > 2) Type Ex command:
        > :set guifont=*
        >
        > 3) A modal window pops up to select a font, click on the
        > "Cancel" button.
        >
        > 4) Observe the above Valgrind error as soon as you click on
        > "Cancel".
        >
        >
        > src/gui_xmdlg.c:
        >
        > 1272 /* modal event loop */
        > 1273 while (!data->exit)
        > 1274 XtAppProcessEvent(XtWidgetToApplicationContext(data->dialog),
        > 1275 (XtInputMask)XtIMAll);
        > 1276
        > 1277 XtDestroyWidget(data->dialog);
        > 1278
        > 1279 if (data->old)
        > 1280 {
        > 1281 XFreeFont(XtDisplay(data->dialog), data->old);
        > 1282 XmFontListFree(data->old_list);
        > 1283 }
        >
        > data->dialog is destroyed at line gui_xmdlg.c:1277 but still
        > used just below at line gui_xmdlg.c:1281.
        >
        > Attached patch fixes it.
        >
        > Stack trace reported by Valgrind is slightly incorrect
        > by the way (not sure why) since XtDisplay() is called from:
        >
        > XtDisplay
        > gui_xm_select_font (gui_xmdlg.c:1281)
        > gui_mch_init_font (gui_x11.c:1853)
        >
        > and not from:
        >
        > XtDisplay()
        > gui_mch_init_font() (gui_x11.c:1853)

        Thanks for the patch!

        --
        Shift happens.
        -- Doppler

        /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
        /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
        \\\ download, build and distribute -- http://www.A-A-P.org ///
        \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

        --
        You received this message from the "vim_dev" maillist.
        For more information, visit http://www.vim.org/maillist.php
      Your message has been successfully submitted and would be delivered to recipients shortly.