Dominique Pelle wrote:
> Vim-7.2.108 can read and write beyond allocated memory when > using autocmd VimResized. Bug happens if a shell command is > used in VimResized autocmd such as... > > :au! VimResized * sil !echo -ne "\033]12;green\007" > > With this autocmd, I observe the following error with valgrind > when resizing the screen with the mouse: > > ==29656== Invalid read of size 4 > ==29656== at 0x8152A23: screenclear2 (screen.c:7698) > ==29656== by 0x81983BC: set_shellsize (term.c:3111) > ==29656== by 0x8198541: shell_resized (term.c:3040) > ==29656== by 0x8140A7E: mch_inchar (os_unix.c:426) > ==29656== by 0x819EF85: ui_inchar (ui.c:193) > ==29656== by 0x80CD9B2: inchar (getchar.c:2959) > ==29656== by 0x80CFB23: vgetorpeek (getchar.c:2735) > ==29656== by 0x80D0851: vgetc (getchar.c:1552) > ==29656== by 0x80D0DAA: safe_vgetc (getchar.c:1757) > ==29656== by 0x8122EC5: normal_cmd (normal.c:653) > ==29656== by 0x80E2F16: main_loop (main.c:1180) > ==29656== by 0x80E62D8: main (main.c:939) > ==29656== Address 0x566b6cc is 0 bytes after a block of size 92 alloc'd > ==29656== at 0x402603E: malloc (vg_replace_malloc.c:207) > ==29656== by 0x810B5E7: lalloc (misc2.c:859) > ==29656== by 0x8157531: screenalloc (screen.c:7438) > ==29656== by 0x8157D0D: screenclear (screen.c:7668) > ==29656== by 0x81983BC: set_shellsize (term.c:3111) > ==29656== by 0x8198541: shell_resized (term.c:3040) > ==29656== by 0x8140A7E: mch_inchar (os_unix.c:426) > ==29656== by 0x819EF85: ui_inchar (ui.c:193) > ==29656== by 0x80CD9B2: inchar (getchar.c:2959) > ==29656== by 0x80CFB23: vgetorpeek (getchar.c:2735) > ==29656== by 0x80D0851: vgetc (getchar.c:1552) > ==29656== by 0x80D0DAA: safe_vgetc (getchar.c:1757) > ==29656== by 0x8122EC5: normal_cmd (normal.c:653) > ==29656== by 0x80E2F16: main_loop (main.c:1180) > ==29656== by 0x80E62D8: main (main.c:939) > > It also segfaults sometimes (not all the time). > > Error happens because: > * screenalloc() allocates a screen of dimensions Rows x Columns > * Then applies autocmd VimResized > * This autocmd may alter Rows & Columns after screen > was allocated. > * So when screenalloc() returns, it has allocated a screen > for a size different than Rows Columns > * screenclear2() called after screenalloc() in screenclear() > then can thus clear the screen beyond allocated memory > (memory corruption). > > It happens at least when autocmd is a shell command since > call_shell() calls shell_resized_check() which can alter > Rows & Columns. > > Attached patch fixes it by calling the autocmd before > screen memory is allocated rather than after screen > is allocated. So even if Row & Columns are changed during > the autocmd, screen is still allocated with the right size at > the end of screenalloc(). Thanks. Not sure if the solution is OK, will have to check that. What if the autocommand relies on the screen already being allocated? This is tricky stuff. -- >From "know your smileys": :-D Big smile /// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ download, build and distribute -- http://www.A-A-P.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org /// --~--~---------~--~----~------------~-------~--~----~ You received this message from the "vim_dev" maillist. For more information, visit http://www.vim.org/maillist.php -~----------~----~----~----~------~----~------~--~---
