patch to fix overlapping strcpy(...) in vim-7.1.154

Dominique Pelle Fri, 09 Nov 2007 12:42:51 -0800

Valgrind memory checker detects the following bug in vim-7.1.154:

==6518== Source and destination overlap in strcpy(0x4F8E442, 0x4F8E443)
==6518==    at 0x40245D2: strcpy (mc_replace_strmem.c:106)
==6518==    by 0x80AF714: eval_vars (ex_docmd.c:9394)
==6518==    by 0x80A7B6A: expand_filename (ex_docmd.c:4247)
==6518==    by 0x80A4F4B: do_one_cmd (ex_docmd.c:2557)
==6518==    by 0x80A293A: do_cmdline (ex_docmd.c:1099)
==6518==    by 0x808B6DA: ex_execute (eval.c:18592)
==6518==    by 0x80A50EA: do_one_cmd (ex_docmd.c:2621)
==6518==    by 0x80A293A: do_cmdline (ex_docmd.c:1099)
==6518==    by 0x808F04A: call_user_func (eval.c:20289)
==6518==    by 0x807B7BE: call_func (eval.c:7599)
==6518==    by 0x807B3E9: get_func_tv (eval.c:7446)
==6518==    by 0x8077A76: eval7 (eval.c:4697)


Overlapping strings in strcpy(...) in ex_docmd.c:9394 has an
undefined behavior (may work or not).

9394      STRCPY(src - 1, src);           /* remove backslash */

I attach a patch for file ex_docmd.c with:

- trivial fix for above bug  (using mch_memmove() instead of STRCPY())
- fixed a few typos in comments
- fixed a typo in one translatable error message

I'm using vim-7.1.154, on Linux, built without optimizations (-O0)
and configured with "./configure --with-features=huge".

-- Dominique

--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---

Index: ex_docmd.c
===================================================================
RCS file: /cvsroot/vim/vim7/src/ex_docmd.c,v
retrieving revision 1.135
diff -c -r1.135 ex_docmd.c
*** ex_docmd.c	19 Oct 2007 14:20:28 -0000	1.135
--- ex_docmd.c	9 Nov 2007 20:35:42 -0000
***************
*** 666,672 ****
  		if (ex_pressedreturn)
  		{
  		    /* go up one line, to overwrite the ":<CR>" line, so the
! 		     * output doensn't contain empty lines. */
  		    msg_row = prev_msg_row;
  		    if (prev_msg_row == Rows - 1)
  			msg_row--;
--- 666,672 ----
  		if (ex_pressedreturn)
  		{
  		    /* go up one line, to overwrite the ":<CR>" line, so the
! 		     * output doesn't contain empty lines. */
  		    msg_row = prev_msg_row;
  		    if (prev_msg_row == Rows - 1)
  			msg_row--;
***************
*** 2760,2766 ****
  
      /*
       * Isolate the command and search for it in the command table.
!      * Exeptions:
       * - the 'k' command can directly be followed by any character.
       * - the 's' command can be followed directly by 'c', 'g', 'i', 'I' or 'r'
       *	    but :sre[wind] is another command, as are :scrip[tnames],
--- 2760,2766 ----
  
      /*
       * Isolate the command and search for it in the command table.
!      * Exceptions:
       * - the 'k' command can directly be followed by any character.
       * - the 's' command can be followed directly by 'c', 'g', 'i', 'I' or 'r'
       *	    but :sre[wind] is another command, as are :scrip[tnames],
***************
*** 6677,6683 ****
   * The list should be allocated using alloc(), as should each item in the
   * list. This function takes over responsibility for freeing the list.
   *
!  * XXX The list is made into the arggument list. This is freed using
   * FreeWild(), which does a series of vim_free() calls, unless the two defines
   * __EMX__ and __ALWAYS_HAS_TRAILING_NUL_POINTER are set. In this case, a
   * routine _fnexplodefree() is used. This may cause problems, but as the drop
--- 6677,6683 ----
   * The list should be allocated using alloc(), as should each item in the
   * list. This function takes over responsibility for freeing the list.
   *
!  * XXX The list is made into the argument list. This is freed using
   * FreeWild(), which does a series of vim_free() calls, unless the two defines
   * __EMX__ and __ALWAYS_HAS_TRAILING_NUL_POINTER are set. In this case, a
   * routine _fnexplodefree() is used. This may cause problems, but as the drop
***************
*** 7795,7801 ****
  	if (vim_strchr(p_cpo, CPO_CHDIR) != NULL && curbufIsChanged()
  							     && !eap->forceit)
  	{
! 	    EMSG(_("E747: Cannot change directory, buffer is modifed (add ! to override)"));
  	    return;
  	}
  
--- 7795,7801 ----
  	if (vim_strchr(p_cpo, CPO_CHDIR) != NULL && curbufIsChanged()
  							     && !eap->forceit)
  	{
! 	    EMSG(_("E747: Cannot change directory, buffer is modified (add ! to override)"));
  	    return;
  	}
  
***************
*** 9391,9397 ****
      if (src > srcstart && src[-1] == '\\')
      {
  	*usedlen = 0;
! 	STRCPY(src - 1, src);		/* remove backslash */
  	return NULL;
      }
  
--- 9391,9397 ----
      if (src > srcstart && src[-1] == '\\')
      {
  	*usedlen = 0;
! 	mch_memmove(src - 1, src, STRLEN(src) + 1); /* remove backslash */
  	return NULL;
      }

patch to fix overlapping strcpy(...) in vim-7.1.154

Raspunde prin e-mail lui