Valgrind memory checker detects the following bug in Vim-7.1.285:
==10530== Conditional jump or move depends on uninitialised value(s)
==10530== at 0x81665C7: win_line (screen.c:2955)
==10530== by 0x8164049: win_update (screen.c:1765)
==10530== by 0x81621A8: update_screen (screen.c:522)
==10530== by 0x80E5FAC: main_loop (main.c:1110)
==10530== by 0x80E5C45: main (main.c:940)
(more errors follow after this first error)
Bug happens with spelling checker on (:set spell) and when editing
a file with which has >= 150 spaces of indentation (SPWORLDLEN = 150).
Bug happens because STRLEN(nextline + SPWORDLEN) is called with
string 'nextline + SPWORDLEN' (at screen.c:2956) which is then not
NUL terminated. String is initialized by spell_cat_line(...) at
line screen.c:2748. When line has >= 150 leading spaces, the
output of spell_cat_line() is a string with 150 spaces and
_without_ end of string, hence the bug when later using
STRLEN(...) on that string.
I attach 2 patches. Both of them fix it:
- first patch just fixes the bug with minimal number of changes
to minimize the risks.
- second patch also fixes it but also improves spell_cat_line()
slightly:
o it avoids writing characters twice (simpler and faster).
o it avoids concatenating anything when next line has >= 150
spaces (it seems a waste of time to concatenate just
spaces in that case).
-- Dominique
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
Index: spell.c
===================================================================
RCS file: /cvsroot/vim/vim7/src/spell.c,v
retrieving revision 1.111
diff -d -c -r1.111 spell.c
*** spell.c 19 Jan 2008 14:56:57 -0000 1.111
--- spell.c 24 Mar 2008 15:30:37 -0000
***************
*** 2287,2294 ****
*buf = ' ';
vim_strncpy(buf + 1, line, maxlen - 2);
n = (int)(p - line);
! if (n >= maxlen)
! n = maxlen - 1;
vim_memset(buf + 1, ' ', n);
}
}
--- 2287,2294 ----
*buf = ' ';
vim_strncpy(buf + 1, line, maxlen - 2);
n = (int)(p - line);
! if (n > maxlen - 2)
! n = maxlen - 2;
vim_memset(buf + 1, ' ', n);
}
}
Index: spell.c
===================================================================
RCS file: /cvsroot/vim/vim7/src/spell.c,v
retrieving revision 1.111
diff -c -r1.111 spell.c
*** spell.c 19 Jan 2008 14:56:57 -0000 1.111
--- spell.c 24 Mar 2008 18:47:31 -0000
***************
*** 2284,2295 ****
if (*p != NUL)
{
! *buf = ' ';
! vim_strncpy(buf + 1, line, maxlen - 2);
! n = (int)(p - line);
! if (n >= maxlen)
! n = maxlen - 1;
! vim_memset(buf + 1, ' ', n);
}
}
--- 2284,2297 ----
if (*p != NUL)
{
! n = (int)(p - line) + 1;
! if (n < maxlen - 1)
! {
! /* Only worth concatenating if there is something else than
! * spaces to concatenate */
! vim_memset(buf, ' ', n);
! vim_strncpy(buf + n, p, maxlen - 1 - n);
! }
}
}
