Loading ...
Sorry, an error occurred while loading the content.

[patch] fix stack corruption in vim/src/gui_riscos.c

Expand Messages
  • Dominique PellĂ©
    Hi Running cppcheck static analyzer on vim/src/gui_riscos.c gives the following warnings: $ cppcheck gui_riscos.c Checking gui_riscos.c... [gui_riscos.c:1764]
    Message 1 of 1 , Dec 2, 2010
    • 0 Attachment
      Hi

      Running cppcheck static analyzer on vim/src/gui_riscos.c gives
      the following warnings:

      $ cppcheck gui_riscos.c
      Checking gui_riscos.c...
      [gui_riscos.c:1764] -> [gui_riscos.c:2291]: (error) Array
      'front_block[10]' index 20 out of bounds
      [gui_riscos.c:1764] -> [gui_riscos.c:2293]: (error) Array
      'front_block[10]' index 28 out of bounds

      gui_riscos.c:

      1757 if (button & 0x444)
      1758 {
      !!1759 int front_block[10];
      1760 /* Dragging with Select - bring window to front first */
      1761 front_block[0] = gui.window_handle;
      1762 swi(Wimp_GetWindowState, 0, front_block);
      1763 front_block[7] = -1;
      !!1764 ro_open_main(front_block);
      1765 }

      ....
      2284 void
      2285 ro_open_main(block)
      2286 int *block;
      2287 {
      2288 int toggle_size;
      2289
      2290 /* Find out if the user clicked on the toggle size icon. */
      !!2291 block[20] = block[0];
      2292 swi(Wimp_GetWindowState, 0, block + 20);
      2293 toggle_size = block[28] & (1 << 19);

      ro_open_main() is called at line 1764 with buffer 'front_block'
      which is 10-int large. But the first thing that ro_open_main() does
      is setting block[20] which is thus corrupting the stack.

      Attached patch fixes it by making front_block size 64 int instead
      of 10 int (just as other places where ro_open_main() is called).

      ro_open_main() and other functions could also be static since
      they are only used within gui_riscos.c but I leave that as it is
      since I don't have riscos to verify.

      Regards
      -- Dominique

      --
      You received this message from the "vim_dev" maillist.
      Do not top-post! Type your reply below the text you are replying to.
      For more information, visit http://www.vim.org/maillist.php
    Your message has been successfully submitted and would be delivered to recipients shortly.