[patch] fixed used of freed memory when redrawing statusline recursively

Mon, 01 Jun 2009 01:45:21 -0700 

Hi

Vim is using freed memory when invoking ":redrawstatus"
while redrawing the statusline:

==23085== Invalid read of size 1
==23085==    at 0x80773FB: build_stl_str_hl (buffer.c:3441)
==23085==    by 0x8178ADB: win_redr_custom (screen.c:6093)
==23085==    by 0x8178F04: redraw_custum_statusline (screen.c:5898)
==23085==    by 0x817B16E: win_redr_status (screen.c:5768)
==23085==    by 0x81857A5: update_screen (screen.c:529)
==23085==    by 0x80C4ED0: ex_redrawstatus (ex_docmd.c:8624)
==23085==    by 0x80CE996: do_one_cmd (ex_docmd.c:2620)
==23085==    by 0x80CCC92: do_cmdline (ex_docmd.c:1096)
==23085==    by 0x80A477E: call_user_func (eval.c:21250)
==23085==    by 0x80A51C8: call_func (eval.c:8111)
==23085==    by 0x80A893B: get_func_tv (eval.c:7957)
==23085==    by 0x80A6BF9: eval7 (eval.c:5013)
==23085==    by 0x80A7564: eval6 (eval.c:4680)
==23085==    by 0x80A77DE: eval5 (eval.c:4496)
==23085==    by 0x80A7B41: eval4 (eval.c:4191)
==23085==    by 0x80A847B: eval3 (eval.c:4103)
==23085==    by 0x80A85AC: eval1 (eval.c:4032)
==23085==    by 0x80A97CD: eval0 (eval.c:3914)
==23085==    by 0x80A9B8C: eval_to_string (eval.c:1296)
==23085==    by 0x80A9F6A: eval_to_string_safe (eval.c:1340)
==23085==    by 0x8078B87: build_stl_str_hl (buffer.c:3698)
==23085==    by 0x8178ADB: win_redr_custom (screen.c:6093)
==23085==    by 0x8178F04: redraw_custum_statusline (screen.c:5898)
==23085==    by 0x817B16E: win_redr_status (screen.c:5768)
==23085==    by 0x81857A5: update_screen (screen.c:529)
==23085==    by 0x80C4ED0: ex_redrawstatus (ex_docmd.c:8624)
==23085==    by 0x80CE996: do_one_cmd (ex_docmd.c:2620)
==23085==    by 0x80CCC92: do_cmdline (ex_docmd.c:1096)
==23085==    by 0x80A477E: call_user_func (eval.c:21250)
==23085==    by 0x80A51C8: call_func (eval.c:8111)
==23085==  Address 0x5acf6fd is 13 bytes inside a block of size 15 free'd
==23085==    at 0x4024E5A: free (vg_replace_malloc.c:323)
==23085==    by 0x8157129: set_string_option_direct (option.c:5359)
==23085==    by 0x8178F46: redraw_custum_statusline (screen.c:5900)
==23085==    by 0x817B16E: win_redr_status (screen.c:5768)
==23085==    by 0x81857A5: update_screen (screen.c:529)
==23085==    by 0x80C4ED0: ex_redrawstatus (ex_docmd.c:8624)
==23085==    by 0x80CE996: do_one_cmd (ex_docmd.c:2620)
==23085==    by 0x80CCC92: do_cmdline (ex_docmd.c:1096)
==23085==    by 0x80A477E: call_user_func (eval.c:21250)
==23085==    by 0x80A51C8: call_func (eval.c:8111)
==23085==    by 0x80A893B: get_func_tv (eval.c:7957)
==23085==    by 0x80A6BF9: eval7 (eval.c:5013)
==23085==    by 0x80A7564: eval6 (eval.c:4680)
==23085==    by 0x80A77DE: eval5 (eval.c:4496)
==23085==    by 0x80A7B41: eval4 (eval.c:4191)
==23085==    by 0x80A847B: eval3 (eval.c:4103)
==23085==    by 0x80A85AC: eval1 (eval.c:4032)
==23085==    by 0x80A97CD: eval0 (eval.c:3914)
==23085==    by 0x80A9B8C: eval_to_string (eval.c:1296)
==23085==    by 0x80A9F6A: eval_to_string_safe (eval.c:1340)
==23085==    by 0x8078B87: build_stl_str_hl (buffer.c:3698)
==23085==    by 0x8178ADB: win_redr_custom (screen.c:6093)
==23085==    by 0x8178F04: redraw_custum_statusline (screen.c:5898)
==23085==    by 0x817B16E: win_redr_status (screen.c:5768)
==23085==    by 0x81857A5: update_screen (screen.c:529)
==23085==    by 0x80C4ED0: ex_redrawstatus (ex_docmd.c:8624)
==23085==    by 0x80CE996: do_one_cmd (ex_docmd.c:2620)
==23085==    by 0x80CCC92: do_cmdline (ex_docmd.c:1096)
==23085==    by 0x80A477E: call_user_func (eval.c:21250)
==23085==    by 0x80A51C8: call_func (eval.c:8111)

Here is a minimalistic way to reproduce the bug:

$ cat .vimrc-test

set nocompatible
set laststatus=2

function! Foo()
  redrawstatus
endfunction

set statusline='%{Foo()}'

$ valgrind vim -u .vimrc-test 2> vg.log

Then observe the errors in vg.log

I'm using vim-7.2.191 on Linux.
Attached patch fixes it.

-- Dominique

--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---


Index: screen.c
===================================================================
RCS file: /cvsroot/vim/vim7/src/screen.c,v
retrieving revision 1.120
diff -c -r1.120 screen.c
*** screen.c	17 May 2009 11:32:06 -0000	1.120
--- screen.c	1 Jun 2009 08:24:43 -0000
***************
*** 5743,5748 ****
--- 5743,5752 ----
      int		fillchar;
      int		attr;
      int		this_ru_col;
+     static int	recursive = 0;
+ 
+     if (recursive++ > 0)
+ 	return;
  
      wp->w_redr_status = FALSE;
      if (wp->w_status_height == 0)
***************
*** 5881,5886 ****
--- 5885,5891 ----
  									attr);
      }
  #endif
+     recursive--;
  }
  
  #ifdef FEAT_STL_OPT

Raspunde prin e-mail lui