On Tue, 07 May 2013 19:10:44 +0300, Arto Jonsson wrote: > While writing an email vi(1) crashed with segmentation fault. > > When ^W (WERASE) is hit in insert mode it's possible that the line > buffer is accessed out of bounds. If 'max' == 0 and 'tp->cno' == 1 the > 'tp->cno' value is first reduced by one and then 'tp->lb' is accessed at > 'tp->cno' - 1.
Good catch, I know folks who have hit this bug but I was never able to reproduce it. Moving the isblank() check should be safe since trailing blanks are trimmed earlier on so we won't exit the loop prematurely. I see you didn't change the TXT_ALTWERASE case, though. It looks like that also needs a fix but the "break" there will break out of the switch statement, not a loop. However, since trailing blanks have already been trimmed I think that check is effectively a no-op and could simply be removed. - todd
