[patch] fixed access to free mem when closing "[Comand Line]" window with ":setlocal bh=wipe"

[Dominique Pellé]

Hi

Vim-7.2.377 is using free memory when closing the "[Command Line]"
window and when 'bufhidden' option is set to 'wipe':

==10070== Invalid read of size 4
==10070==    at 0x80532A0: close_buffer (buffer.c:330)
==10070==    by 0x80BC21F: ex_window (ex_getln.c:6254)
==10070==    by 0x80B395A: getcmdline (ex_getln.c:736)
==10070==    by 0x811DB8C: nv_search (normal.c:6147)
==10070==    by 0x8115D28: normal_cmd (normal.c:1188)
==10070==    by 0x80DE00B: main_loop (main.c:1211)
==10070==    by 0x80DDB02: main (main.c:955)
==10070==  Address 0x4f13d60 is 3,240 bytes inside a block of size 4,496 free'd
==10070==    at 0x4024B8A: free (vg_replace_malloc.c:366)
==10070==    by 0x8107976: vim_free (misc2.c:1647)
==10070==    by 0x8053844: free_buffer (buffer.c:612)
==10070==    by 0x805354E: close_buffer (buffer.c:464)
==10070==    by 0x81ABAF3: win_close (window.c:2201)
==10070==    by 0x80BC204: ex_window (ex_getln.c:6253)
==10070==    by 0x80B395A: getcmdline (ex_getln.c:736)
==10070==    by 0x811DB8C: nv_search (normal.c:6147)
==10070==    by 0x8115D28: normal_cmd (normal.c:1188)
==10070==    by 0x80DE00B: main_loop (main.c:1211)
==10070==    by 0x80DDB02: main (main.c:955)
(more errors after that)

Steps to reproduce:

1/ Run:

  $ valgrind --log-file=vg.log \
    vim -u NONE -c ':call feedkeys("q/:setlocal bh=wipe\<cr>\<c-c>\<c-c>")'

2/ Observe errors in log file 'vg.log'

Code in src/ex_getln.c:

  6253      win_close(wp, TRUE);
  6254      close_buffer(NULL, bp, DOBUF_WIPE);

Line ex_getln.c:6253 may wipe the buffer 'bp' when
'bufhidden' option is set to 'wipe' and call to
close_buffer() at next line ex_getln.c:6254 then
accesses freed memory.

I stumbled upon this bug when using the ManPageView
plugin (http://www.vim.org/scripts/script.php?script_id=489).
Pressing K in the "[Command Line]" window with ManPageView
plugin triggered this error.

Attached patch fixes it.

Cheers
-- Dominique

-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

diff -r 0e4631bf9441 src/ex_getln.c
--- a/src/ex_getln.c	Fri Feb 26 22:05:22 2010 +0100
+++ b/src/ex_getln.c	Sun Feb 28 12:52:52 2010 +0100
@@ -6251,7 +6251,11 @@
 	bp = curbuf;
 	win_goto(old_curwin);
 	win_close(wp, TRUE);
-	close_buffer(NULL, bp, DOBUF_WIPE);
+
+	/* win_close() may have already wiped the buffer when 'bh' is
+	 * set to 'wipe' */
+	if (buf_valid(bp))
+	    close_buffer(NULL, bp, DOBUF_WIPE);
 
 	/* Restore window sizes. */
 	win_size_restore(&winsizes);