Hi
I can reproduce the following Valgrind error with Vim-7.3.237:
==7744== Invalid read of size 1
==7744== at 0x8110B39: after_pathsep (misc2.c:3229)
==7744== by 0x8086820: f_resolve (eval.c:15130)
==7744== by 0x807D828: call_func (eval.c:8380)
==7744== by 0x807D36F: get_func_tv (eval.c:8193)
==7744== by 0x8079860: eval7 (eval.c:5128)
==7744== by 0x8079179: eval6 (eval.c:4780)
==7744== by 0x8078D6F: eval5 (eval.c:4596)
==7744== by 0x8078309: eval4 (eval.c:4289)
==7744== by 0x8078177: eval3 (eval.c:4201)
==7744== by 0x8078019: eval2 (eval.c:4130)
==7744== by 0x8077E6A: eval1 (eval.c:4055)
==7744== by 0x807D2DC: get_func_tv (eval.c:8178)
==7744== by 0x8079860: eval7 (eval.c:5128)
==7744== by 0x8079179: eval6 (eval.c:4780)
==7744== by 0x8078D6F: eval5 (eval.c:4596)
==7744== by 0x8078309: eval4 (eval.c:4289)
==7744== by 0x8078177: eval3 (eval.c:4201)
==7744== by 0x8078019: eval2 (eval.c:4130)
==7744== by 0x8077E6A: eval1 (eval.c:4055)
==7744== by 0x8077DD5: eval0 (eval.c:4012)
==7744== by 0x80745B4: ex_let (eval.c:1885)
==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672)
==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123)
==7744== by 0x8091F91: call_user_func (eval.c:22116)
==7744== by 0x807D726: call_func (eval.c:8351)
==7744== by 0x807D36F: get_func_tv (eval.c:8193)
==7744== by 0x808C9E9: handle_subscript (eval.c:19186)
==7744== by 0x8079900: eval7 (eval.c:5154)
==7744== by 0x8079179: eval6 (eval.c:4780)
==7744== by 0x8078D6F: eval5 (eval.c:4596)
==7744== by 0x8078309: eval4 (eval.c:4289)
==7744== by 0x8078177: eval3 (eval.c:4201)
==7744== by 0x8078019: eval2 (eval.c:4130)
==7744== by 0x8077E6A: eval1 (eval.c:4055)
==7744== by 0x8077DD5: eval0 (eval.c:4012)
==7744== by 0x80745B4: ex_let (eval.c:1885)
==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672)
==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123)
==7744== by 0x8091F91: call_user_func (eval.c:22116)
==7744== by 0x807D726: call_func (eval.c:8351)
==7744== by 0x807D36F: get_func_tv (eval.c:8193)
==7744== by 0x8079860: eval7 (eval.c:5128)
==7744== by 0x8079179: eval6 (eval.c:4780)
==7744== by 0x8078D6F: eval5 (eval.c:4596)
==7744== by 0x8078309: eval4 (eval.c:4289)
==7744== by 0x8078177: eval3 (eval.c:4201)
==7744== by 0x8078019: eval2 (eval.c:4130)
==7744== by 0x8077E6A: eval1 (eval.c:4055)
==7744== by 0x8077DD5: eval0 (eval.c:4012)
==7744== by 0x80745B4: ex_let (eval.c:1885)
==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672)
==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123)
==7744== by 0x8091F91: call_user_func (eval.c:22116)
==7744== by 0x807D726: call_func (eval.c:8351)
==7744== by 0x807D36F: get_func_tv (eval.c:8193)
==7744== by 0x8076FBF: ex_call (eval.c:3435)
==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672)
==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123)
==7744== by 0x80AE381: do_ucmd (ex_docmd.c:6168)
==7744== by 0x80A89E7: do_one_cmd (ex_docmd.c:2663)
==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123)
==7744== by 0x80A59A3: do_cmdline_cmd (ex_docmd.c:728)
==7744== by 0x81E8C0D: exe_commands (main.c:2810)
==7744== by 0x81E62E6: main (main.c:884)
==7744== Address 0x53958f7 is 1 bytes before a block of size 1 alloc'd
==7744== at 0x4025230: malloc (vg_replace_malloc.c:236)
==7744== by 0x810E7B7: lalloc (misc2.c:918)
==7744== by 0x810E6D4: alloc (misc2.c:817)
==7744== by 0x810EBA2: vim_strsave (misc2.c:1235)
==7744== by 0x8086317: f_resolve (eval.c:14976)
==7744== by 0x807D828: call_func (eval.c:8380)
==7744== by 0x807D36F: get_func_tv (eval.c:8193)
==7744== by 0x8079860: eval7 (eval.c:5128)
==7744== by 0x8079179: eval6 (eval.c:4780)
==7744== by 0x8078D6F: eval5 (eval.c:4596)
==7744== by 0x8078309: eval4 (eval.c:4289)
==7744== by 0x8078177: eval3 (eval.c:4201)
==7744== by 0x8078019: eval2 (eval.c:4130)
==7744== by 0x8077E6A: eval1 (eval.c:4055)
==7744== by 0x807D2DC: get_func_tv (eval.c:8178)
==7744== by 0x8079860: eval7 (eval.c:5128)
==7744== by 0x8079179: eval6 (eval.c:4780)
==7744== by 0x8078D6F: eval5 (eval.c:4596)
==7744== by 0x8078309: eval4 (eval.c:4289)
==7744== by 0x8078177: eval3 (eval.c:4201)
==7744== by 0x8078019: eval2 (eval.c:4130)
==7744== by 0x8077E6A: eval1 (eval.c:4055)
==7744== by 0x8077DD5: eval0 (eval.c:4012)
==7744== by 0x80745B4: ex_let (eval.c:1885)
==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672)
==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123)
==7744== by 0x8091F91: call_user_func (eval.c:22116)
==7744== by 0x807D726: call_func (eval.c:8351)
==7744== by 0x807D36F: get_func_tv (eval.c:8193)
==7744== by 0x808C9E9: handle_subscript (eval.c:19186)
==7744== by 0x8079900: eval7 (eval.c:5154)
==7744== by 0x8079179: eval6 (eval.c:4780)
==7744== by 0x8078D6F: eval5 (eval.c:4596)
==7744== by 0x8078309: eval4 (eval.c:4289)
==7744== by 0x8078177: eval3 (eval.c:4201)
==7744== by 0x8078019: eval2 (eval.c:4130)
==7744== by 0x8077E6A: eval1 (eval.c:4055)
==7744== by 0x8077DD5: eval0 (eval.c:4012)
==7744== by 0x80745B4: ex_let (eval.c:1885)
==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672)
==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123)
==7744== by 0x8091F91: call_user_func (eval.c:22116)
==7744== by 0x807D726: call_func (eval.c:8351)
==7744== by 0x807D36F: get_func_tv (eval.c:8193)
==7744== by 0x8079860: eval7 (eval.c:5128)
==7744== by 0x8079179: eval6 (eval.c:4780)
==7744== by 0x8078D6F: eval5 (eval.c:4596)
==7744== by 0x8078309: eval4 (eval.c:4289)
==7744== by 0x8078177: eval3 (eval.c:4201)
==7744== by 0x8078019: eval2 (eval.c:4130)
==7744== by 0x8077E6A: eval1 (eval.c:4055)
==7744== by 0x8077DD5: eval0 (eval.c:4012)
==7744== by 0x80745B4: ex_let (eval.c:1885)
==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672)
==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123)
==7744== by 0x8091F91: call_user_func (eval.c:22116)
==7744== by 0x807D726: call_func (eval.c:8351)
==7744== by 0x807D36F: get_func_tv (eval.c:8193)
==7744== by 0x8076FBF: ex_call (eval.c:3435)
==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672)
==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123)
==7744== by 0x80AE381: do_ucmd (ex_docmd.c:6168)
==7744== by 0x80A89E7: do_one_cmd (ex_docmd.c:2663)
==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123)
==7744== by 0x80A59A3: do_cmdline_cmd (ex_docmd.c:728)
==7744== by 0x81E8C0D: exe_commands (main.c:2810)
==7744== by 0x81E62E6: main (main.c:884)
Steps to reproduce:
- install the vcscommand plugin:
http://www.vim.org/scripts/script.php?script_id=90
- run:
$ vim -c VCSVimDiff
Running VCSVimDiff on an unnamed buffer does not make much sense
but it should not cause vim to access invalid memory.
Code in misc2.c:
3219 /*
3220 * Return TRUE if "p" points to just after a path separator.
3221 * Take care of multi-byte characters.
3222 * "b" must point to the start of the file name
3223 */
3224 int
3225 after_pathsep(b, p)
3226 char_u *b;
3227 char_u *p;
3228 {
3229 return vim_ispathsep(p[-1])
3230 && (!has_mbyte || (*mb_head_off)(b,
p - 1) == 0);
3231 }
When error happens, b and p are identical, they point to the beginning
of an empty string. So p[-1] at misc2.c:3229 is an invalid read of 1 byte
and return value of after_pathsep() is then undefined.
Attached patch fixes it.
-- Dominique
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
diff -r c45a38bd18a9 src/misc2.c
--- a/src/misc2.c Sun Jun 26 19:40:23 2011 +0200
+++ b/src/misc2.c Sun Jul 03 13:30:24 2011 +0200
@@ -3226,7 +3226,7 @@
char_u *b;
char_u *p;
{
- return vim_ispathsep(p[-1])
+ return b < p && vim_ispathsep(p[-1])
&& (!has_mbyte || (*mb_head_off)(b, p - 1) == 0);
}
#endif
