Re: Patch to fix access to freed memory in spelling checker feature

Sat, 09 Feb 2008 04:59:17 -0800 

On 2/6/08, Bram Moolenaar <[EMAIL PROTECTED]> wrote:
>
> Dominique Pelle wrote:
>
> > Valgrind memory checker detects that Vim is using freed memory
> > in the spelling checker code:
...

> Hmm, ml_get() shouldn't free the pointer, it should be getting the same
> line.


Looking at the code, call to spell_move_to(...) may invalidate
the line pointer, since it may call ml_get() with the previous line
when it calls check_need_cap(...) at line spell.c:10271:

   10247 check_need_cap(lnum, col)
   10248     linenr_T    lnum;
   10249     colnr_T     col;
   10250 {
   ....
   10263     if ((int)(skipwhite(line) - line) >= (int)col)
   10264     {
   10265         /* At start of line, check if previous line is empty
or sentence
   10266          * ends there. */
   10267         if (lnum == 1)
   10268             need_cap = TRUE;
   10269         else
   10270         {
!!!10271             line = ml_get(lnum - 1);
   10272             if (*skipwhite(line) == NUL)
   10273                 need_cap = TRUE;


I also found a much simpler test case to trigger this bug:

1/ start vim with:
   valgrind vim -u NONE -c 'set nowrap|set spell' 2> valgrind.log

2/ press i (to enter insert mode)

3/ press <NL>  (to go to the second line)

4/ type: aaaaaaaa.... (etc) until  reaching slightly
beyond the full width of the terminal.

5/ Observe that valgrind complains (access to freed memory)
shortly after typing enough 'a' to reach beyond the width of
the terminal.

6/ Also observe that text aaaa... (etc) get highlighted in red
(as spelling mistake) as soon as reaching the full width of the
terminal.   Normally vim does not highlight a word a spelling
error until a word separator has been typed (space for
example) but somehow reaching the right side of the terminal
when in "nowrap" mode causes Vim to start highlighting the
word as spelling error.  I'm not sure whether it's the symptom
of the same bug or if it's another bug.

I'm using Vim-7.1.244 on Linux x86 built with
"configure --with-features=huge" without optimizations (-O0 -g)
in a gnome-terminal.

-- Dominique

--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---

Raspunde prin e-mail lui