Loading ...
Sorry, an error occurred while loading the content.

Re: [patch] fixed access to free mem when closing "[Comand Line]" window with ":setlocal bh=wipe"

Expand Messages
  • Bram Moolenaar
    ... Thanks! I ll add it to my todo list. -- GALAHAD: No, please. Please! I can defeat them! There s only a hundred. GIRLS: He will beat us easily. We
    Message 1 of 2 , Feb 28, 2010
    • 0 Attachment
      Dominique Pelle wrote:

      > Vim-7.2.377 is using free memory when closing the "[Command Line]"
      > window and when 'bufhidden' option is set to 'wipe':
      >
      > ==10070== Invalid read of size 4
      > ==10070== at 0x80532A0: close_buffer (buffer.c:330)
      > ==10070== by 0x80BC21F: ex_window (ex_getln.c:6254)
      > ==10070== by 0x80B395A: getcmdline (ex_getln.c:736)
      > ==10070== by 0x811DB8C: nv_search (normal.c:6147)
      > ==10070== by 0x8115D28: normal_cmd (normal.c:1188)
      > ==10070== by 0x80DE00B: main_loop (main.c:1211)
      > ==10070== by 0x80DDB02: main (main.c:955)
      > ==10070== Address 0x4f13d60 is 3,240 bytes inside a block of size 4,496 free'd
      > ==10070== at 0x4024B8A: free (vg_replace_malloc.c:366)
      > ==10070== by 0x8107976: vim_free (misc2.c:1647)
      > ==10070== by 0x8053844: free_buffer (buffer.c:612)
      > ==10070== by 0x805354E: close_buffer (buffer.c:464)
      > ==10070== by 0x81ABAF3: win_close (window.c:2201)
      > ==10070== by 0x80BC204: ex_window (ex_getln.c:6253)
      > ==10070== by 0x80B395A: getcmdline (ex_getln.c:736)
      > ==10070== by 0x811DB8C: nv_search (normal.c:6147)
      > ==10070== by 0x8115D28: normal_cmd (normal.c:1188)
      > ==10070== by 0x80DE00B: main_loop (main.c:1211)
      > ==10070== by 0x80DDB02: main (main.c:955)
      > (more errors after that)
      >
      > Steps to reproduce:
      >
      > 1/ Run:
      >
      > $ valgrind --log-file=vg.log \
      > vim -u NONE -c ':call feedkeys("q/:setlocal bh=wipe\<cr>\<c-c>\<c-c>")'
      >
      > 2/ Observe errors in log file 'vg.log'
      >
      > Code in src/ex_getln.c:
      >
      > 6253 win_close(wp, TRUE);
      > 6254 close_buffer(NULL, bp, DOBUF_WIPE);
      >
      > Line ex_getln.c:6253 may wipe the buffer 'bp' when
      > 'bufhidden' option is set to 'wipe' and call to
      > close_buffer() at next line ex_getln.c:6254 then
      > accesses freed memory.
      >
      > I stumbled upon this bug when using the ManPageView
      > plugin (http://www.vim.org/scripts/script.php?script_id=489).
      > Pressing K in the "[Command Line]" window with ManPageView
      > plugin triggered this error.
      >
      > Attached patch fixes it.

      Thanks! I'll add it to my todo list.

      --
      GALAHAD: No, please. Please! I can defeat them! There's only a hundred.
      GIRLS: He will beat us easily. We haven't a chance.
      "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD

      /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
      /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
      \\\ download, build and distribute -- http://www.A-A-P.org ///
      \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

      --
      You received this message from the "vim_dev" maillist.
      Do not top-post! Type your reply below the text you are replying to.
      For more information, visit http://www.vim.org/maillist.php
    Your message has been successfully submitted and would be delivered to recipients shortly.