Dominique Pelle wrote:
> Valgrind memory checker finds the following error in vim-7.1 (patches 1-94).
>
> ==14011== Conditional jump or move depends on uninitialised value(s)
> ==14011== at 0x80EE9B0: msg_puts_display (message.c:1947)
> ==14011== by 0x80EE657: msg_puts_attr_len (message.c:1819)
> ==14011== by 0x80EDC48: msg_outtrans_len_attr (message.c:1383)
> ==14011== by 0x80ED973: msg_outtrans_len (message.c:1274)
> ==14011== by 0x80AD7B9: draw_cmdline (ex_getln.c:2618)
> ==14011== by 0x80AE4F1: redrawcmd (ex_getln.c:3105)
> ==14011== by 0x80AE3E8: redrawcmdline (ex_getln.c:3057)
> ==14011== by 0x8194CEB: set_shellsize (term.c:3150)
> ==14011== by 0x8194B51: shell_resized (term.c:3042)
> ==14011== by 0x81316F3: handle_resize (os_unix.c:407)
> ==14011== by 0x8131682: mch_inchar (os_unix.c:369)
> ==14011== by 0x8197F89: ui_inchar (ui.c:193)
> ==14011==
> ==14011== Conditional jump or move depends on uninitialised value(s)
> ==14011== at 0x80EE9C7: msg_puts_display (message.c:1955)
> ==14011== by 0x80EE657: msg_puts_attr_len (message.c:1819)
> ==14011== by 0x80EDC48: msg_outtrans_len_attr (message.c:1383)
> ==14011== by 0x80ED973: msg_outtrans_len (message.c:1274)
> ==14011== by 0x80AD7B9: draw_cmdline (ex_getln.c:2618)
> ==14011== by 0x80AE4F1: redrawcmd (ex_getln.c:3105)
> ==14011== by 0x80AE3E8: redrawcmdline (ex_getln.c:3057)
> ==14011== by 0x8194CEB: set_shellsize (term.c:3150)
> ==14011== by 0x8194B51: shell_resized (term.c:3042)
> ==14011== by 0x81316F3: handle_resize (os_unix.c:407)
> ==14011== by 0x8131682: mch_inchar (os_unix.c:369)
> ==14011== by 0x8197F89: ui_inchar (ui.c:193)
> (etc, other errors)
>
>
> I can reproduce it 100% of the time by:
> - typing ":" to enter Ex mode
> - typing a couple of random char in Ex mode.
> For example ":aaaaaaaaaaaaaaaaaaa"
> - then resize the terminal so that the end of the above Ex command reaches
> exactly the end of the terminal.
>
> When vim gets the resize terminal event, and when the Ex command
> reaches exactly the end of the line, then above errors are reported.
>
> The relevant code is where memory is used uninitialized is (line 1947):
>
> message.c:
>
> 1945 /* When we displayed a char in last column need to check if there
> 1946 * is still more. */
> 1947 if (*s >= ' '
> 1948 #ifdef FEAT_RIGHTLEFT
> 1949 && !cmdmsg_rl
> 1950 #endif
> 1951 )
> 1952 continue;
> 1953 }
>
> The variable that is used uninitialized here is *s. By debugging, I found
> that it happens when s was set a couple of lines above in message.c:1907:
>
> 1892 /* Display char in last column before showing more-prompt. */
> 1893 if (*s >= ' '
> 1894 #ifdef FEAT_RIGHTLEFT
> 1895 && !cmdmsg_rl
> 1896 #endif
> 1897 )
> 1898 {
> 1899 #ifdef FEAT_MBYTE
> 1900 if (has_mbyte)
> 1901 {
> 1902 if (enc_utf8 && maxlen >= 0)
> 1903 /* avoid including composing chars after the end */
> 1904 l = utfc_ptr2len_len(s, (int)((str + maxlen) - s));
> 1905 else
> 1906 l = (*mb_ptr2len)(s);
> 1907 s = screen_puts_mbyte(s, l, attr);
> 1908 }
> 1909 else
> 1910 #endif
> 1911 msg_screen_putchar(*s++, attr);
> 1912 }
>
> The problem happens because incrementing s at line 1907 can
> reach beyond the end of the str string. s is then used later beyond
> the end of the string str.
>
> I attach a patch which fixes the problem. Please review it to make
> sure it does not break anything.
>
> I'm using vim-7.94 on Linux x86, built with "configure --with-features=huge".
>
> Attached: patch-read-out-of-bounds.txt
Thanks for locating the problem and suggesting a fix.
I think the fix isn't quite right, it causes the more prompt to be
skipped. Also, when "maxlen" is negative it doesn't work correctly.
How about this change instead:
*** ../vim-7.1.094/src/message.c Tue Aug 7 21:59:26 2007
--- src/message.c Thu Aug 30 21:05:17 2007
***************
*** 1941,1946 ****
--- 1942,1951 ----
if (quit_more)
return;
}
+
+ /* Quit when at the end of the text, avoid reading past it. */
+ if (maxlen >= 0 && (int)(s - str) >= maxlen)
+ break;
/* When we displayed a char in last column need to check if there
* is still more. */
--
A cow comes flying over the battlements, lowing aggressively. The cow
lands on GALAHAD'S PAGE, squashing him completely.
"Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD
/// Bram Moolenaar -- [EMAIL PROTECTED] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ download, build and distribute -- http://www.A-A-P.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
