Loading ...
Sorry, an error occurred while loading the content.

[patch] fixed access to free mem when closing "[Comand Line]" window with ":setlocal bh=wipe"

Expand Messages
  • Dominique PellĂ©
    Hi Vim-7.2.377 is using free memory when closing the [Command Line] window and when bufhidden option is set to wipe : ==10070== Invalid read of size 4
    Message 1 of 2 , Feb 28, 2010
    • 0 Attachment
      Hi

      Vim-7.2.377 is using free memory when closing the "[Command Line]"
      window and when 'bufhidden' option is set to 'wipe':

      ==10070== Invalid read of size 4
      ==10070== at 0x80532A0: close_buffer (buffer.c:330)
      ==10070== by 0x80BC21F: ex_window (ex_getln.c:6254)
      ==10070== by 0x80B395A: getcmdline (ex_getln.c:736)
      ==10070== by 0x811DB8C: nv_search (normal.c:6147)
      ==10070== by 0x8115D28: normal_cmd (normal.c:1188)
      ==10070== by 0x80DE00B: main_loop (main.c:1211)
      ==10070== by 0x80DDB02: main (main.c:955)
      ==10070== Address 0x4f13d60 is 3,240 bytes inside a block of size 4,496 free'd
      ==10070== at 0x4024B8A: free (vg_replace_malloc.c:366)
      ==10070== by 0x8107976: vim_free (misc2.c:1647)
      ==10070== by 0x8053844: free_buffer (buffer.c:612)
      ==10070== by 0x805354E: close_buffer (buffer.c:464)
      ==10070== by 0x81ABAF3: win_close (window.c:2201)
      ==10070== by 0x80BC204: ex_window (ex_getln.c:6253)
      ==10070== by 0x80B395A: getcmdline (ex_getln.c:736)
      ==10070== by 0x811DB8C: nv_search (normal.c:6147)
      ==10070== by 0x8115D28: normal_cmd (normal.c:1188)
      ==10070== by 0x80DE00B: main_loop (main.c:1211)
      ==10070== by 0x80DDB02: main (main.c:955)
      (more errors after that)

      Steps to reproduce:

      1/ Run:

      $ valgrind --log-file=vg.log \
      vim -u NONE -c ':call feedkeys("q/:setlocal bh=wipe\<cr>\<c-c>\<c-c>")'

      2/ Observe errors in log file 'vg.log'

      Code in src/ex_getln.c:

      6253 win_close(wp, TRUE);
      6254 close_buffer(NULL, bp, DOBUF_WIPE);

      Line ex_getln.c:6253 may wipe the buffer 'bp' when
      'bufhidden' option is set to 'wipe' and call to
      close_buffer() at next line ex_getln.c:6254 then
      accesses freed memory.

      I stumbled upon this bug when using the ManPageView
      plugin (http://www.vim.org/scripts/script.php?script_id=489).
      Pressing K in the "[Command Line]" window with ManPageView
      plugin triggered this error.

      Attached patch fixes it.

      Cheers
      -- Dominique

      --
      You received this message from the "vim_dev" maillist.
      Do not top-post! Type your reply below the text you are replying to.
      For more information, visit http://www.vim.org/maillist.php
    • Bram Moolenaar
      ... Thanks! I ll add it to my todo list. -- GALAHAD: No, please. Please! I can defeat them! There s only a hundred. GIRLS: He will beat us easily. We
      Message 2 of 2 , Feb 28, 2010
      • 0 Attachment
        Dominique Pelle wrote:

        > Vim-7.2.377 is using free memory when closing the "[Command Line]"
        > window and when 'bufhidden' option is set to 'wipe':
        >
        > ==10070== Invalid read of size 4
        > ==10070== at 0x80532A0: close_buffer (buffer.c:330)
        > ==10070== by 0x80BC21F: ex_window (ex_getln.c:6254)
        > ==10070== by 0x80B395A: getcmdline (ex_getln.c:736)
        > ==10070== by 0x811DB8C: nv_search (normal.c:6147)
        > ==10070== by 0x8115D28: normal_cmd (normal.c:1188)
        > ==10070== by 0x80DE00B: main_loop (main.c:1211)
        > ==10070== by 0x80DDB02: main (main.c:955)
        > ==10070== Address 0x4f13d60 is 3,240 bytes inside a block of size 4,496 free'd
        > ==10070== at 0x4024B8A: free (vg_replace_malloc.c:366)
        > ==10070== by 0x8107976: vim_free (misc2.c:1647)
        > ==10070== by 0x8053844: free_buffer (buffer.c:612)
        > ==10070== by 0x805354E: close_buffer (buffer.c:464)
        > ==10070== by 0x81ABAF3: win_close (window.c:2201)
        > ==10070== by 0x80BC204: ex_window (ex_getln.c:6253)
        > ==10070== by 0x80B395A: getcmdline (ex_getln.c:736)
        > ==10070== by 0x811DB8C: nv_search (normal.c:6147)
        > ==10070== by 0x8115D28: normal_cmd (normal.c:1188)
        > ==10070== by 0x80DE00B: main_loop (main.c:1211)
        > ==10070== by 0x80DDB02: main (main.c:955)
        > (more errors after that)
        >
        > Steps to reproduce:
        >
        > 1/ Run:
        >
        > $ valgrind --log-file=vg.log \
        > vim -u NONE -c ':call feedkeys("q/:setlocal bh=wipe\<cr>\<c-c>\<c-c>")'
        >
        > 2/ Observe errors in log file 'vg.log'
        >
        > Code in src/ex_getln.c:
        >
        > 6253 win_close(wp, TRUE);
        > 6254 close_buffer(NULL, bp, DOBUF_WIPE);
        >
        > Line ex_getln.c:6253 may wipe the buffer 'bp' when
        > 'bufhidden' option is set to 'wipe' and call to
        > close_buffer() at next line ex_getln.c:6254 then
        > accesses freed memory.
        >
        > I stumbled upon this bug when using the ManPageView
        > plugin (http://www.vim.org/scripts/script.php?script_id=489).
        > Pressing K in the "[Command Line]" window with ManPageView
        > plugin triggered this error.
        >
        > Attached patch fixes it.

        Thanks! I'll add it to my todo list.

        --
        GALAHAD: No, please. Please! I can defeat them! There's only a hundred.
        GIRLS: He will beat us easily. We haven't a chance.
        "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD

        /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
        /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
        \\\ download, build and distribute -- http://www.A-A-P.org ///
        \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

        --
        You received this message from the "vim_dev" maillist.
        Do not top-post! Type your reply below the text you are replying to.
        For more information, visit http://www.vim.org/maillist.php
      Your message has been successfully submitted and would be delivered to recipients shortly.