Hi,
Valgrind memory checker finds the following error in vim-7.1 (patches 1-94).
==14011== Conditional jump or move depends on uninitialised value(s)
==14011== at 0x80EE9B0: msg_puts_display (message.c:1947)
==14011== by 0x80EE657: msg_puts_attr_len (message.c:1819)
==14011== by 0x80EDC48: msg_outtrans_len_attr (message.c:1383)
==14011== by 0x80ED973: msg_outtrans_len (message.c:1274)
==14011== by 0x80AD7B9: draw_cmdline (ex_getln.c:2618)
==14011== by 0x80AE4F1: redrawcmd (ex_getln.c:3105)
==14011== by 0x80AE3E8: redrawcmdline (ex_getln.c:3057)
==14011== by 0x8194CEB: set_shellsize (term.c:3150)
==14011== by 0x8194B51: shell_resized (term.c:3042)
==14011== by 0x81316F3: handle_resize (os_unix.c:407)
==14011== by 0x8131682: mch_inchar (os_unix.c:369)
==14011== by 0x8197F89: ui_inchar (ui.c:193)
==14011==
==14011== Conditional jump or move depends on uninitialised value(s)
==14011== at 0x80EE9C7: msg_puts_display (message.c:1955)
==14011== by 0x80EE657: msg_puts_attr_len (message.c:1819)
==14011== by 0x80EDC48: msg_outtrans_len_attr (message.c:1383)
==14011== by 0x80ED973: msg_outtrans_len (message.c:1274)
==14011== by 0x80AD7B9: draw_cmdline (ex_getln.c:2618)
==14011== by 0x80AE4F1: redrawcmd (ex_getln.c:3105)
==14011== by 0x80AE3E8: redrawcmdline (ex_getln.c:3057)
==14011== by 0x8194CEB: set_shellsize (term.c:3150)
==14011== by 0x8194B51: shell_resized (term.c:3042)
==14011== by 0x81316F3: handle_resize (os_unix.c:407)
==14011== by 0x8131682: mch_inchar (os_unix.c:369)
==14011== by 0x8197F89: ui_inchar (ui.c:193)
(etc, other errors)
I can reproduce it 100% of the time by:
- typing ":" to enter Ex mode
- typing a couple of random char in Ex mode.
For example ":aaaaaaaaaaaaaaaaaaa"
- then resize the terminal so that the end of the above Ex command reaches
exactly the end of the terminal.
When vim gets the resize terminal event, and when the Ex command
reaches exactly the end of the line, then above errors are reported.
The relevant code is where memory is used uninitialized is (line 1947):
message.c:
1945 /* When we displayed a char in last column need to check if there
1946 * is still more. */
1947 if (*s >= ' '
1948 #ifdef FEAT_RIGHTLEFT
1949 && !cmdmsg_rl
1950 #endif
1951 )
1952 continue;
1953 }
The variable that is used uninitialized here is *s. By debugging, I found
that it happens when s was set a couple of lines above in message.c:1907:
1892 /* Display char in last column before showing more-prompt. */
1893 if (*s >= ' '
1894 #ifdef FEAT_RIGHTLEFT
1895 && !cmdmsg_rl
1896 #endif
1897 )
1898 {
1899 #ifdef FEAT_MBYTE
1900 if (has_mbyte)
1901 {
1902 if (enc_utf8 && maxlen >= 0)
1903 /* avoid including composing chars after the end */
1904 l = utfc_ptr2len_len(s, (int)((str + maxlen) - s));
1905 else
1906 l = (*mb_ptr2len)(s);
1907 s = screen_puts_mbyte(s, l, attr);
1908 }
1909 else
1910 #endif
1911 msg_screen_putchar(*s++, attr);
1912 }
The problem happens because incrementing s at line 1907 can
reach beyond the end of the str string. s is then used later beyond
the end of the string str.
I attach a patch which fixes the problem. Please review it to make
sure it does not break anything.
I'm using vim-7.94 on Linux x86, built with "configure --with-features=huge".
Attached: patch-read-out-of-bounds.txt
-- Dominique
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
Index: message.c
===================================================================
RCS file: /cvsroot/vim/vim7/src/message.c,v
retrieving revision 1.57
diff -c -r1.57 message.c
*** message.c 7 Aug 2007 20:00:03 -0000 1.57
--- message.c 30 Aug 2007 18:05:07 -0000
***************
*** 1909,1914 ****
--- 1909,1918 ----
else
#endif
msg_screen_putchar(*s++, attr);
+
+ /* since s has been incremented, maxlen may have been reached */
+ if ((int)(s - str) >= maxlen || *s == NUL)
+ break;
}
if (p_more)
