Loading ...
Sorry, an error occurred while loading the content.

[patch] fixed valgrind error in after_pathsep()

Expand Messages
  • Dominique PellĂ©
    Hi I can reproduce the following Valgrind error with Vim-7.3.237: ==7744== Invalid read of size 1 ==7744== at 0x8110B39: after_pathsep (misc2.c:3229)
    Message 1 of 2 , Jul 3, 2011
    • 0 Attachment
      Hi

      I can reproduce the following Valgrind error with Vim-7.3.237:

      ==7744== Invalid read of size 1
      ==7744== at 0x8110B39: after_pathsep (misc2.c:3229)
      ==7744== by 0x8086820: f_resolve (eval.c:15130)
      ==7744== by 0x807D828: call_func (eval.c:8380)
      ==7744== by 0x807D36F: get_func_tv (eval.c:8193)
      ==7744== by 0x8079860: eval7 (eval.c:5128)
      ==7744== by 0x8079179: eval6 (eval.c:4780)
      ==7744== by 0x8078D6F: eval5 (eval.c:4596)
      ==7744== by 0x8078309: eval4 (eval.c:4289)
      ==7744== by 0x8078177: eval3 (eval.c:4201)
      ==7744== by 0x8078019: eval2 (eval.c:4130)
      ==7744== by 0x8077E6A: eval1 (eval.c:4055)
      ==7744== by 0x807D2DC: get_func_tv (eval.c:8178)
      ==7744== by 0x8079860: eval7 (eval.c:5128)
      ==7744== by 0x8079179: eval6 (eval.c:4780)
      ==7744== by 0x8078D6F: eval5 (eval.c:4596)
      ==7744== by 0x8078309: eval4 (eval.c:4289)
      ==7744== by 0x8078177: eval3 (eval.c:4201)
      ==7744== by 0x8078019: eval2 (eval.c:4130)
      ==7744== by 0x8077E6A: eval1 (eval.c:4055)
      ==7744== by 0x8077DD5: eval0 (eval.c:4012)
      ==7744== by 0x80745B4: ex_let (eval.c:1885)
      ==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672)
      ==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123)
      ==7744== by 0x8091F91: call_user_func (eval.c:22116)
      ==7744== by 0x807D726: call_func (eval.c:8351)
      ==7744== by 0x807D36F: get_func_tv (eval.c:8193)
      ==7744== by 0x808C9E9: handle_subscript (eval.c:19186)
      ==7744== by 0x8079900: eval7 (eval.c:5154)
      ==7744== by 0x8079179: eval6 (eval.c:4780)
      ==7744== by 0x8078D6F: eval5 (eval.c:4596)
      ==7744== by 0x8078309: eval4 (eval.c:4289)
      ==7744== by 0x8078177: eval3 (eval.c:4201)
      ==7744== by 0x8078019: eval2 (eval.c:4130)
      ==7744== by 0x8077E6A: eval1 (eval.c:4055)
      ==7744== by 0x8077DD5: eval0 (eval.c:4012)
      ==7744== by 0x80745B4: ex_let (eval.c:1885)
      ==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672)
      ==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123)
      ==7744== by 0x8091F91: call_user_func (eval.c:22116)
      ==7744== by 0x807D726: call_func (eval.c:8351)
      ==7744== by 0x807D36F: get_func_tv (eval.c:8193)
      ==7744== by 0x8079860: eval7 (eval.c:5128)
      ==7744== by 0x8079179: eval6 (eval.c:4780)
      ==7744== by 0x8078D6F: eval5 (eval.c:4596)
      ==7744== by 0x8078309: eval4 (eval.c:4289)
      ==7744== by 0x8078177: eval3 (eval.c:4201)
      ==7744== by 0x8078019: eval2 (eval.c:4130)
      ==7744== by 0x8077E6A: eval1 (eval.c:4055)
      ==7744== by 0x8077DD5: eval0 (eval.c:4012)
      ==7744== by 0x80745B4: ex_let (eval.c:1885)
      ==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672)
      ==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123)
      ==7744== by 0x8091F91: call_user_func (eval.c:22116)
      ==7744== by 0x807D726: call_func (eval.c:8351)
      ==7744== by 0x807D36F: get_func_tv (eval.c:8193)
      ==7744== by 0x8076FBF: ex_call (eval.c:3435)
      ==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672)
      ==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123)
      ==7744== by 0x80AE381: do_ucmd (ex_docmd.c:6168)
      ==7744== by 0x80A89E7: do_one_cmd (ex_docmd.c:2663)
      ==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123)
      ==7744== by 0x80A59A3: do_cmdline_cmd (ex_docmd.c:728)
      ==7744== by 0x81E8C0D: exe_commands (main.c:2810)
      ==7744== by 0x81E62E6: main (main.c:884)
      ==7744== Address 0x53958f7 is 1 bytes before a block of size 1 alloc'd
      ==7744== at 0x4025230: malloc (vg_replace_malloc.c:236)
      ==7744== by 0x810E7B7: lalloc (misc2.c:918)
      ==7744== by 0x810E6D4: alloc (misc2.c:817)
      ==7744== by 0x810EBA2: vim_strsave (misc2.c:1235)
      ==7744== by 0x8086317: f_resolve (eval.c:14976)
      ==7744== by 0x807D828: call_func (eval.c:8380)
      ==7744== by 0x807D36F: get_func_tv (eval.c:8193)
      ==7744== by 0x8079860: eval7 (eval.c:5128)
      ==7744== by 0x8079179: eval6 (eval.c:4780)
      ==7744== by 0x8078D6F: eval5 (eval.c:4596)
      ==7744== by 0x8078309: eval4 (eval.c:4289)
      ==7744== by 0x8078177: eval3 (eval.c:4201)
      ==7744== by 0x8078019: eval2 (eval.c:4130)
      ==7744== by 0x8077E6A: eval1 (eval.c:4055)
      ==7744== by 0x807D2DC: get_func_tv (eval.c:8178)
      ==7744== by 0x8079860: eval7 (eval.c:5128)
      ==7744== by 0x8079179: eval6 (eval.c:4780)
      ==7744== by 0x8078D6F: eval5 (eval.c:4596)
      ==7744== by 0x8078309: eval4 (eval.c:4289)
      ==7744== by 0x8078177: eval3 (eval.c:4201)
      ==7744== by 0x8078019: eval2 (eval.c:4130)
      ==7744== by 0x8077E6A: eval1 (eval.c:4055)
      ==7744== by 0x8077DD5: eval0 (eval.c:4012)
      ==7744== by 0x80745B4: ex_let (eval.c:1885)
      ==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672)
      ==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123)
      ==7744== by 0x8091F91: call_user_func (eval.c:22116)
      ==7744== by 0x807D726: call_func (eval.c:8351)
      ==7744== by 0x807D36F: get_func_tv (eval.c:8193)
      ==7744== by 0x808C9E9: handle_subscript (eval.c:19186)
      ==7744== by 0x8079900: eval7 (eval.c:5154)
      ==7744== by 0x8079179: eval6 (eval.c:4780)
      ==7744== by 0x8078D6F: eval5 (eval.c:4596)
      ==7744== by 0x8078309: eval4 (eval.c:4289)
      ==7744== by 0x8078177: eval3 (eval.c:4201)
      ==7744== by 0x8078019: eval2 (eval.c:4130)
      ==7744== by 0x8077E6A: eval1 (eval.c:4055)
      ==7744== by 0x8077DD5: eval0 (eval.c:4012)
      ==7744== by 0x80745B4: ex_let (eval.c:1885)
      ==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672)
      ==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123)
      ==7744== by 0x8091F91: call_user_func (eval.c:22116)
      ==7744== by 0x807D726: call_func (eval.c:8351)
      ==7744== by 0x807D36F: get_func_tv (eval.c:8193)
      ==7744== by 0x8079860: eval7 (eval.c:5128)
      ==7744== by 0x8079179: eval6 (eval.c:4780)
      ==7744== by 0x8078D6F: eval5 (eval.c:4596)
      ==7744== by 0x8078309: eval4 (eval.c:4289)
      ==7744== by 0x8078177: eval3 (eval.c:4201)
      ==7744== by 0x8078019: eval2 (eval.c:4130)
      ==7744== by 0x8077E6A: eval1 (eval.c:4055)
      ==7744== by 0x8077DD5: eval0 (eval.c:4012)
      ==7744== by 0x80745B4: ex_let (eval.c:1885)
      ==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672)
      ==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123)
      ==7744== by 0x8091F91: call_user_func (eval.c:22116)
      ==7744== by 0x807D726: call_func (eval.c:8351)
      ==7744== by 0x807D36F: get_func_tv (eval.c:8193)
      ==7744== by 0x8076FBF: ex_call (eval.c:3435)
      ==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672)
      ==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123)
      ==7744== by 0x80AE381: do_ucmd (ex_docmd.c:6168)
      ==7744== by 0x80A89E7: do_one_cmd (ex_docmd.c:2663)
      ==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123)
      ==7744== by 0x80A59A3: do_cmdline_cmd (ex_docmd.c:728)
      ==7744== by 0x81E8C0D: exe_commands (main.c:2810)
      ==7744== by 0x81E62E6: main (main.c:884)

      Steps to reproduce:

      - install the vcscommand plugin:
      http://www.vim.org/scripts/script.php?script_id=90

      - run:
      $ vim -c VCSVimDiff

      Running VCSVimDiff on an unnamed buffer does not make much sense
      but it should not cause vim to access invalid memory.

      Code in misc2.c:

      3219 /*
      3220 * Return TRUE if "p" points to just after a path separator.
      3221 * Take care of multi-byte characters.
      3222 * "b" must point to the start of the file name
      3223 */
      3224 int
      3225 after_pathsep(b, p)
      3226 char_u *b;
      3227 char_u *p;
      3228 {
      3229 return vim_ispathsep(p[-1])
      3230 && (!has_mbyte || (*mb_head_off)(b,
      p - 1) == 0);
      3231 }

      When error happens, b and p are identical, they point to the beginning
      of an empty string. So p[-1] at misc2.c:3229 is an invalid read of 1 byte
      and return value of after_pathsep() is then undefined.

      Attached patch fixes it.

      -- Dominique

      --
      You received this message from the "vim_dev" maillist.
      Do not top-post! Type your reply below the text you are replying to.
      For more information, visit http://www.vim.org/maillist.php
    • Bram Moolenaar
      ... [...] ... Thanks, I ll include it soon. -- Marriage is when a man and woman become as one; the trouble starts when they try to decide which one /// Bram
      Message 2 of 2 , Jul 3, 2011
      • 0 Attachment
        Dominique Pelle wrote:

        > I can reproduce the following Valgrind error with Vim-7.3.237:
        [...]
        >
        > Steps to reproduce:
        >
        > - install the vcscommand plugin:
        > http://www.vim.org/scripts/script.php?script_id=90
        >
        > - run:
        > $ vim -c VCSVimDiff
        >
        > Running VCSVimDiff on an unnamed buffer does not make much sense
        > but it should not cause vim to access invalid memory.
        >
        > Code in misc2.c:
        >
        > 3219 /*
        > 3220 * Return TRUE if "p" points to just after a path separator.
        > 3221 * Take care of multi-byte characters.
        > 3222 * "b" must point to the start of the file name
        > 3223 */
        > 3224 int
        > 3225 after_pathsep(b, p)
        > 3226 char_u *b;
        > 3227 char_u *p;
        > 3228 {
        > 3229 return vim_ispathsep(p[-1])
        > 3230 && (!has_mbyte || (*mb_head_off)(b,
        > p - 1) == 0);
        > 3231 }
        >
        > When error happens, b and p are identical, they point to the beginning
        > of an empty string. So p[-1] at misc2.c:3229 is an invalid read of 1 byte
        > and return value of after_pathsep() is then undefined.
        >
        > Attached patch fixes it.

        Thanks, I'll include it soon.

        --
        "Marriage is when a man and woman become as one; the trouble starts
        when they try to decide which one"

        /// Bram Moolenaar -- Bram@... -- http://www.Moolenaar.net \\\
        /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
        \\\ an exciting new programming language -- http://www.Zimbu.org ///
        \\\ help me help AIDS victims -- http://ICCF-Holland.org ///

        --
        You received this message from the "vim_dev" maillist.
        Do not top-post! Type your reply below the text you are replying to.
        For more information, visit http://www.vim.org/maillist.php
      Your message has been successfully submitted and would be delivered to recipients shortly.