Hi I can reproduce the following Valgrind error with Vim-7.3.237:
==7744== Invalid read of size 1 ==7744== at 0x8110B39: after_pathsep (misc2.c:3229) ==7744== by 0x8086820: f_resolve (eval.c:15130) ==7744== by 0x807D828: call_func (eval.c:8380) ==7744== by 0x807D36F: get_func_tv (eval.c:8193) ==7744== by 0x8079860: eval7 (eval.c:5128) ==7744== by 0x8079179: eval6 (eval.c:4780) ==7744== by 0x8078D6F: eval5 (eval.c:4596) ==7744== by 0x8078309: eval4 (eval.c:4289) ==7744== by 0x8078177: eval3 (eval.c:4201) ==7744== by 0x8078019: eval2 (eval.c:4130) ==7744== by 0x8077E6A: eval1 (eval.c:4055) ==7744== by 0x807D2DC: get_func_tv (eval.c:8178) ==7744== by 0x8079860: eval7 (eval.c:5128) ==7744== by 0x8079179: eval6 (eval.c:4780) ==7744== by 0x8078D6F: eval5 (eval.c:4596) ==7744== by 0x8078309: eval4 (eval.c:4289) ==7744== by 0x8078177: eval3 (eval.c:4201) ==7744== by 0x8078019: eval2 (eval.c:4130) ==7744== by 0x8077E6A: eval1 (eval.c:4055) ==7744== by 0x8077DD5: eval0 (eval.c:4012) ==7744== by 0x80745B4: ex_let (eval.c:1885) ==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672) ==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123) ==7744== by 0x8091F91: call_user_func (eval.c:22116) ==7744== by 0x807D726: call_func (eval.c:8351) ==7744== by 0x807D36F: get_func_tv (eval.c:8193) ==7744== by 0x808C9E9: handle_subscript (eval.c:19186) ==7744== by 0x8079900: eval7 (eval.c:5154) ==7744== by 0x8079179: eval6 (eval.c:4780) ==7744== by 0x8078D6F: eval5 (eval.c:4596) ==7744== by 0x8078309: eval4 (eval.c:4289) ==7744== by 0x8078177: eval3 (eval.c:4201) ==7744== by 0x8078019: eval2 (eval.c:4130) ==7744== by 0x8077E6A: eval1 (eval.c:4055) ==7744== by 0x8077DD5: eval0 (eval.c:4012) ==7744== by 0x80745B4: ex_let (eval.c:1885) ==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672) ==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123) ==7744== by 0x8091F91: call_user_func (eval.c:22116) ==7744== by 0x807D726: call_func (eval.c:8351) ==7744== by 0x807D36F: get_func_tv (eval.c:8193) ==7744== by 0x8079860: eval7 (eval.c:5128) ==7744== by 0x8079179: eval6 (eval.c:4780) ==7744== by 0x8078D6F: eval5 (eval.c:4596) ==7744== by 0x8078309: eval4 (eval.c:4289) ==7744== by 0x8078177: eval3 (eval.c:4201) ==7744== by 0x8078019: eval2 (eval.c:4130) ==7744== by 0x8077E6A: eval1 (eval.c:4055) ==7744== by 0x8077DD5: eval0 (eval.c:4012) ==7744== by 0x80745B4: ex_let (eval.c:1885) ==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672) ==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123) ==7744== by 0x8091F91: call_user_func (eval.c:22116) ==7744== by 0x807D726: call_func (eval.c:8351) ==7744== by 0x807D36F: get_func_tv (eval.c:8193) ==7744== by 0x8076FBF: ex_call (eval.c:3435) ==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672) ==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123) ==7744== by 0x80AE381: do_ucmd (ex_docmd.c:6168) ==7744== by 0x80A89E7: do_one_cmd (ex_docmd.c:2663) ==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123) ==7744== by 0x80A59A3: do_cmdline_cmd (ex_docmd.c:728) ==7744== by 0x81E8C0D: exe_commands (main.c:2810) ==7744== by 0x81E62E6: main (main.c:884) ==7744== Address 0x53958f7 is 1 bytes before a block of size 1 alloc'd ==7744== at 0x4025230: malloc (vg_replace_malloc.c:236) ==7744== by 0x810E7B7: lalloc (misc2.c:918) ==7744== by 0x810E6D4: alloc (misc2.c:817) ==7744== by 0x810EBA2: vim_strsave (misc2.c:1235) ==7744== by 0x8086317: f_resolve (eval.c:14976) ==7744== by 0x807D828: call_func (eval.c:8380) ==7744== by 0x807D36F: get_func_tv (eval.c:8193) ==7744== by 0x8079860: eval7 (eval.c:5128) ==7744== by 0x8079179: eval6 (eval.c:4780) ==7744== by 0x8078D6F: eval5 (eval.c:4596) ==7744== by 0x8078309: eval4 (eval.c:4289) ==7744== by 0x8078177: eval3 (eval.c:4201) ==7744== by 0x8078019: eval2 (eval.c:4130) ==7744== by 0x8077E6A: eval1 (eval.c:4055) ==7744== by 0x807D2DC: get_func_tv (eval.c:8178) ==7744== by 0x8079860: eval7 (eval.c:5128) ==7744== by 0x8079179: eval6 (eval.c:4780) ==7744== by 0x8078D6F: eval5 (eval.c:4596) ==7744== by 0x8078309: eval4 (eval.c:4289) ==7744== by 0x8078177: eval3 (eval.c:4201) ==7744== by 0x8078019: eval2 (eval.c:4130) ==7744== by 0x8077E6A: eval1 (eval.c:4055) ==7744== by 0x8077DD5: eval0 (eval.c:4012) ==7744== by 0x80745B4: ex_let (eval.c:1885) ==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672) ==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123) ==7744== by 0x8091F91: call_user_func (eval.c:22116) ==7744== by 0x807D726: call_func (eval.c:8351) ==7744== by 0x807D36F: get_func_tv (eval.c:8193) ==7744== by 0x808C9E9: handle_subscript (eval.c:19186) ==7744== by 0x8079900: eval7 (eval.c:5154) ==7744== by 0x8079179: eval6 (eval.c:4780) ==7744== by 0x8078D6F: eval5 (eval.c:4596) ==7744== by 0x8078309: eval4 (eval.c:4289) ==7744== by 0x8078177: eval3 (eval.c:4201) ==7744== by 0x8078019: eval2 (eval.c:4130) ==7744== by 0x8077E6A: eval1 (eval.c:4055) ==7744== by 0x8077DD5: eval0 (eval.c:4012) ==7744== by 0x80745B4: ex_let (eval.c:1885) ==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672) ==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123) ==7744== by 0x8091F91: call_user_func (eval.c:22116) ==7744== by 0x807D726: call_func (eval.c:8351) ==7744== by 0x807D36F: get_func_tv (eval.c:8193) ==7744== by 0x8079860: eval7 (eval.c:5128) ==7744== by 0x8079179: eval6 (eval.c:4780) ==7744== by 0x8078D6F: eval5 (eval.c:4596) ==7744== by 0x8078309: eval4 (eval.c:4289) ==7744== by 0x8078177: eval3 (eval.c:4201) ==7744== by 0x8078019: eval2 (eval.c:4130) ==7744== by 0x8077E6A: eval1 (eval.c:4055) ==7744== by 0x8077DD5: eval0 (eval.c:4012) ==7744== by 0x80745B4: ex_let (eval.c:1885) ==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672) ==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123) ==7744== by 0x8091F91: call_user_func (eval.c:22116) ==7744== by 0x807D726: call_func (eval.c:8351) ==7744== by 0x807D36F: get_func_tv (eval.c:8193) ==7744== by 0x8076FBF: ex_call (eval.c:3435) ==7744== by 0x80A8A10: do_one_cmd (ex_docmd.c:2672) ==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123) ==7744== by 0x80AE381: do_ucmd (ex_docmd.c:6168) ==7744== by 0x80A89E7: do_one_cmd (ex_docmd.c:2663) ==7744== by 0x80A62E9: do_cmdline (ex_docmd.c:1123) ==7744== by 0x80A59A3: do_cmdline_cmd (ex_docmd.c:728) ==7744== by 0x81E8C0D: exe_commands (main.c:2810) ==7744== by 0x81E62E6: main (main.c:884) Steps to reproduce: - install the vcscommand plugin: http://www.vim.org/scripts/script.php?script_id=90 - run: $ vim -c VCSVimDiff Running VCSVimDiff on an unnamed buffer does not make much sense but it should not cause vim to access invalid memory. Code in misc2.c: 3219 /* 3220 * Return TRUE if "p" points to just after a path separator. 3221 * Take care of multi-byte characters. 3222 * "b" must point to the start of the file name 3223 */ 3224 int 3225 after_pathsep(b, p) 3226 char_u *b; 3227 char_u *p; 3228 { 3229 return vim_ispathsep(p[-1]) 3230 && (!has_mbyte || (*mb_head_off)(b, p - 1) == 0); 3231 } When error happens, b and p are identical, they point to the beginning of an empty string. So p[-1] at misc2.c:3229 is an invalid read of 1 byte and return value of after_pathsep() is then undefined. Attached patch fixes it. -- Dominique -- You received this message from the "vim_dev" maillist. Do not top-post! Type your reply below the text you are replying to. For more information, visit http://www.vim.org/maillist.php
diff -r c45a38bd18a9 src/misc2.c --- a/src/misc2.c Sun Jun 26 19:40:23 2011 +0200 +++ b/src/misc2.c Sun Jul 03 13:30:24 2011 +0200 @@ -3226,7 +3226,7 @@ char_u *b; char_u *p; { - return vim_ispathsep(p[-1]) + return b < p && vim_ispathsep(p[-1]) && (!has_mbyte || (*mb_head_off)(b, p - 1) == 0); } #endif