Dominique Pelle wrote:
> Valgrind detects access to uninitialized memory in both Vim-7.2.446 and
> Vim-7.3.c BETA (2448:943280505f72) with the i_CTRL-X_s feature: spell
> suggestion of word in front of cursor. It happens when word in front of
> cursor is only 1 letter long and a vowel. I think that vowels are ignored
> in the Soundex algorithm so variable goodsound at spell.c:14758 is an
> empty string and goodsound[1] is accessed (beyond end of string).
>
> Steps to reproduce:
>
> 1) Run:
>
> $ valgrind --num-callers=50 --track-origins=yes 2> vg.log \
> vim -u NONE -c 'set spell' -c 'call feedkeys("aa\<C-X>s")'
>
> 2) Observe following error in vg.log:
>
> ==3666== Conditional jump or move depends on uninitialised value(s)
> ==3666== at 0x81A000B: soundalike_score (spell.c:14758)
> ==3666== by 0x819CC0C: stp_sal_score (spell.c:13142)
> ==3666== by 0x819E3F2: rescore_one (spell.c:13923)
> ==3666== by 0x819E2EC: rescore_suggestions (spell.c:13896)
> ==3666== by 0x8197186: spell_suggest_intern (spell.c:10791)
> ==3666== by 0x8196D66: spell_find_suggest (spell.c:10641)
> ==3666== by 0x81966EB: spell_suggest_list (spell.c:10494)
> ==3666== by 0x81A24D5: expand_spelling (spell.c:16021)
> ==3666== by 0x806AD86: ins_compl_get_exp (edit.c:4163)
> ==3666== by 0x806B7CB: ins_compl_next (edit.c:4506)
> ==3666== by 0x806CA13: ins_complete (edit.c:5139)
> ==3666== by 0x80669EC: edit (edit.c:1366)
> ==3666== by 0x813427C: invoke_edit (normal.c:9024)
> ==3666== by 0x8134222: nv_edit (normal.c:8997)
> ==3666== by 0x8127BFB: normal_cmd (normal.c:1190)
> ==3666== by 0x80E8ECF: main_loop (main.c:1260)
> ==3666== by 0x80E8904: main (main.c:965)
> ==3666== Uninitialised value was created by a stack allocation
> ==3666== at 0x819C9BB: stp_sal_score (spell.c:13096)
>
> Attached patch fixes it, but please review it as I can't say
> that understand all details of the soundalike algorithm.
I could see it happen when finding a suggestion for the word "u".
Some of the alternatives, such as "W" or "Y" have an empty soundfold
result.
I think changing "*" to empty deserves a score of SCORE_DEL. If there
is more after the "*" then SCORE_MAXMAX seems appropriate.
I'll make it work like that.
--
I once paid $12 to peer at the box that held King Tutankhamen's little
bandage-covered midget corpse at the De Young Museum in San Francisco. I
remember thinking how pleased he'd be about the way things turned out in his
afterlife.
(Scott Adams - The Dilbert principle)
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ download, build and distribute -- http://www.A-A-P.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
