Re: Patch to fix access to freed memory in spelling checker feature

Bram Moolenaar Sat, 09 Feb 2008 12:36:45 -0800


Dominique Pelle wrote:


> > > Valgrind memory checker detects that Vim is using freed memory
> > > in the spelling checker code:
> ...
> 
> > Hmm, ml_get() shouldn't free the pointer, it should be getting the same
> > line.
> 
> 
> Looking at the code, call to spell_move_to(...) may invalidate
> the line pointer, since it may call ml_get() with the previous line
> when it calls check_need_cap(...) at line spell.c:10271:
> 
>    10247 check_need_cap(lnum, col)
>    10248     linenr_T    lnum;
>    10249     colnr_T     col;
>    10250 {
>    ....
>    10263     if ((int)(skipwhite(line) - line) >= (int)col)
>    10264     {
>    10265         /* At start of line, check if previous line is empty
> or sentence
>    10266          * ends there. */
>    10267         if (lnum == 1)
>    10268             need_cap = TRUE;
>    10269         else
>    10270         {
> !!!10271             line = ml_get(lnum - 1);
>    10272             if (*skipwhite(line) == NUL)
>    10273                 need_cap = TRUE;
> 
> 
> I also found a much simpler test case to trigger this bug:
> 
> 1/ start vim with:
>    valgrind vim -u NONE -c 'set nowrap|set spell' 2> valgrind.log
> 
> 2/ press i (to enter insert mode)
> 
> 3/ press <NL>  (to go to the second line)
> 
> 4/ type: aaaaaaaa.... (etc) until  reaching slightly
> beyond the full width of the terminal.
> 
> 5/ Observe that valgrind complains (access to freed memory)
> shortly after typing enough 'a' to reach beyond the width of
> the terminal.
> 
> 6/ Also observe that text aaaa... (etc) get highlighted in red
> (as spelling mistake) as soon as reaching the full width of the
> terminal.   Normally vim does not highlight a word a spelling
> error until a word separator has been typed (space for
> example) but somehow reaching the right side of the terminal
> when in "nowrap" mode causes Vim to start highlighting the
> word as spelling error.  I'm not sure whether it's the symptom
> of the same bug or if it's another bug.
> 
> I'm using Vim-7.1.244 on Linux x86 built with
> "configure --with-features=huge" without optimizations (-O0 -g)
> in a gnome-terminal.

Thanks for the extra info.  I'll look into it later.

-- 
hundred-and-one symptoms of being an internet addict:
10. And even your night dreams are in HTML.

 /// Bram Moolenaar -- [EMAIL PROTECTED] -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\        download, build and distribute -- http://www.A-A-P.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---

Re: Patch to fix access to freed memory in spelling checker feature

Raspunde prin e-mail lui