Dominique Pelle wrote:
> Vim-7.2.377 is using free memory when closing the "[Command Line]"
> window and when 'bufhidden' option is set to 'wipe':
>
> ==10070== Invalid read of size 4
> ==10070== at 0x80532A0: close_buffer (buffer.c:330)
> ==10070== by 0x80BC21F: ex_window (ex_getln.c:6254)
> ==10070== by 0x80B395A: getcmdline (ex_getln.c:736)
> ==10070== by 0x811DB8C: nv_search (normal.c:6147)
> ==10070== by 0x8115D28: normal_cmd (normal.c:1188)
> ==10070== by 0x80DE00B: main_loop (main.c:1211)
> ==10070== by 0x80DDB02: main (main.c:955)
> ==10070== Address 0x4f13d60 is 3,240 bytes inside a block of size 4,496
> free'd
> ==10070== at 0x4024B8A: free (vg_replace_malloc.c:366)
> ==10070== by 0x8107976: vim_free (misc2.c:1647)
> ==10070== by 0x8053844: free_buffer (buffer.c:612)
> ==10070== by 0x805354E: close_buffer (buffer.c:464)
> ==10070== by 0x81ABAF3: win_close (window.c:2201)
> ==10070== by 0x80BC204: ex_window (ex_getln.c:6253)
> ==10070== by 0x80B395A: getcmdline (ex_getln.c:736)
> ==10070== by 0x811DB8C: nv_search (normal.c:6147)
> ==10070== by 0x8115D28: normal_cmd (normal.c:1188)
> ==10070== by 0x80DE00B: main_loop (main.c:1211)
> ==10070== by 0x80DDB02: main (main.c:955)
> (more errors after that)
>
> Steps to reproduce:
>
> 1/ Run:
>
> $ valgrind --log-file=vg.log \
> vim -u NONE -c ':call feedkeys("q/:setlocal bh=wipe\<cr>\<c-c>\<c-c>")'
>
> 2/ Observe errors in log file 'vg.log'
>
> Code in src/ex_getln.c:
>
> 6253 win_close(wp, TRUE);
> 6254 close_buffer(NULL, bp, DOBUF_WIPE);
>
> Line ex_getln.c:6253 may wipe the buffer 'bp' when
> 'bufhidden' option is set to 'wipe' and call to
> close_buffer() at next line ex_getln.c:6254 then
> accesses freed memory.
>
> I stumbled upon this bug when using the ManPageView
> plugin (http://www.vim.org/scripts/script.php?script_id=489).
> Pressing K in the "[Command Line]" window with ManPageView
> plugin triggered this error.
>
> Attached patch fixes it.
Thanks! I'll add it to my todo list.
--
GALAHAD: No, please. Please! I can defeat them! There's only a hundred.
GIRLS: He will beat us easily. We haven't a chance.
"Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD
/// Bram Moolenaar -- b...@moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ download, build and distribute -- http://www.A-A-P.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
