Hi
Vim-7.2.108 can read and write beyond allocated memory when
using autocmd VimResized. Bug happens if a shell command is
used in VimResized autocmd such as...
:au! VimResized * sil !echo -ne "\033]12;green\007"
With this autocmd, I observe the following error with valgrind
when resizing the screen with the mouse:
==29656== Invalid read of size 4
==29656== at 0x8152A23: screenclear2 (screen.c:7698)
==29656== by 0x81983BC: set_shellsize (term.c:3111)
==29656== by 0x8198541: shell_resized (term.c:3040)
==29656== by 0x8140A7E: mch_inchar (os_unix.c:426)
==29656== by 0x819EF85: ui_inchar (ui.c:193)
==29656== by 0x80CD9B2: inchar (getchar.c:2959)
==29656== by 0x80CFB23: vgetorpeek (getchar.c:2735)
==29656== by 0x80D0851: vgetc (getchar.c:1552)
==29656== by 0x80D0DAA: safe_vgetc (getchar.c:1757)
==29656== by 0x8122EC5: normal_cmd (normal.c:653)
==29656== by 0x80E2F16: main_loop (main.c:1180)
==29656== by 0x80E62D8: main (main.c:939)
==29656== Address 0x566b6cc is 0 bytes after a block of size 92 alloc'd
==29656== at 0x402603E: malloc (vg_replace_malloc.c:207)
==29656== by 0x810B5E7: lalloc (misc2.c:859)
==29656== by 0x8157531: screenalloc (screen.c:7438)
==29656== by 0x8157D0D: screenclear (screen.c:7668)
==29656== by 0x81983BC: set_shellsize (term.c:3111)
==29656== by 0x8198541: shell_resized (term.c:3040)
==29656== by 0x8140A7E: mch_inchar (os_unix.c:426)
==29656== by 0x819EF85: ui_inchar (ui.c:193)
==29656== by 0x80CD9B2: inchar (getchar.c:2959)
==29656== by 0x80CFB23: vgetorpeek (getchar.c:2735)
==29656== by 0x80D0851: vgetc (getchar.c:1552)
==29656== by 0x80D0DAA: safe_vgetc (getchar.c:1757)
==29656== by 0x8122EC5: normal_cmd (normal.c:653)
==29656== by 0x80E2F16: main_loop (main.c:1180)
==29656== by 0x80E62D8: main (main.c:939)
It also segfaults sometimes (not all the time).
Error happens because:
* screenalloc() allocates a screen of dimensions Rows x Columns
* Then applies autocmd VimResized
* This autocmd may alter Rows & Columns after screen
was allocated.
* So when screenalloc() returns, it has allocated a screen
for a size different than Rows Columns
* screenclear2() called after screenalloc() in screenclear()
then can thus clear the screen beyond allocated memory
(memory corruption).
It happens at least when autocmd is a shell command since
call_shell() calls shell_resized_check() which can alter
Rows & Columns.
Attached patch fixes it by calling the autocmd before
screen memory is allocated rather than after screen
is allocated. So even if Row & Columns are changed during
the autocmd, screen is still allocated with the right size at
the end of screenalloc().
Cheers
-- Dominique
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
Index: screen.c
===================================================================
RCS file: /cvsroot/vim/vim7/src/screen.c,v
retrieving revision 1.109
diff -c -r1.109 screen.c
*** screen.c 2 Oct 2008 16:04:00 -0000 1.109
--- screen.c 17 Feb 2009 22:55:32 -0000
***************
*** 7393,7398 ****
--- 7393,7407 ----
return;
entered = TRUE;
+ #ifdef FEAT_AUTOCMD
+ if (starting == 0)
+ /*
+ * Apply autocmds before allocating screen memory, since Rows
+ * and Columns may be altered during execution of autocmds.
+ */
+ apply_autocmds(EVENT_VIMRESIZED, NULL, NULL, FALSE, curbuf);
+ #endif
+
/*
* Note that the window sizes are updated before reallocating the arrays,
* thus we must not redraw here!
***************
*** 7634,7644 ****
entered = FALSE;
--RedrawingDisabled;
-
- #ifdef FEAT_AUTOCMD
- if (starting == 0)
- apply_autocmds(EVENT_VIMRESIZED, NULL, NULL, FALSE, curbuf);
- #endif
}
void
--- 7643,7648 ----
