Hi
Valgrind memory checker detects use of freed memory in the
Motif GUI version of Vim-7.2.267:
==19809== Invalid read of size 1
==19809== at 0x4026A4B: strcmp (mc_replace_strmem.c:337)
==19809== by 0x81D7CE2: do_choice (gui_xmdlg.c:637)
==19809== by 0x81D8106: name_callback (gui_xmdlg.c:734)
==19809== by 0x41C040A: XtCallCallbackList (in /usr/lib/libXt.so.6.0.0)
==19809== by 0x40FD2BC: (within /usr/lib/libXm.so.2.0.1)
==19809== by 0x41F74C0: (within /usr/lib/libXt.so.6.0.0)
==19809== by 0x41F789A: (within /usr/lib/libXt.so.6.0.0)
==19809== by 0x41F7E97: _XtTranslateEvent (in /usr/lib/libXt.so.6.0.0)
==19809== by 0x41CE671: XtDispatchEventToWidget (in /usr/lib/libXt.so.6.0.0)
==19809== by 0x41CEE89: (within /usr/lib/libXt.so.6.0.0)
==19809== by 0x41CDCF6: XtDispatchEvent (in /usr/lib/libXt.so.6.0.0)
==19809== by 0x41DABE9: XtAppProcessEvent (in /usr/lib/libXt.so.6.0.0)
==19809== by 0x81DA067: gui_xm_select_font (gui_xmdlg.c:1271)
==19809== by 0x81D2165: gui_mch_init_font (gui_x11.c:1853)
==19809== by 0x81C2716: gui_init_font (gui.c:715)
==19809== by 0x813D882: did_set_string_option (option.c:6116)
==19809== by 0x813B1C2: do_set (option.c:4679)
==19809== by 0x80B0268: ex_set (ex_docmd.c:10988)
==19809== by 0x80A34AC: do_one_cmd (ex_docmd.c:2629)
==19809== by 0x80A0CE3: do_cmdline (ex_docmd.c:1098)
==19809== by 0x8127266: nv_colon (normal.c:5224)
==19809== by 0x81208F6: normal_cmd (normal.c:1188)
==19809== by 0x80E3615: main_loop (main.c:1186)
==19809== by 0x80E3162: main (main.c:942)
==19809== Address 0x5363eb0 is 0 bytes inside a block of size 21 free'd
==19809== at 0x4024E5A: free (vg_replace_malloc.c:323)
==19809== by 0x41BFD90: XtFree (in /usr/lib/libXt.so.6.0.0)
==19809== by 0x81D7CC6: do_choice (gui_xmdlg.c:636)
==19809== by 0x81D8106: name_callback (gui_xmdlg.c:734)
==19809== by 0x41C040A: XtCallCallbackList (in /usr/lib/libXt.so.6.0.0)
==19809== by 0x40FD2BC: (within /usr/lib/libXm.so.2.0.1)
==19809== by 0x41F74C0: (within /usr/lib/libXt.so.6.0.0)
==19809== by 0x41F789A: (within /usr/lib/libXt.so.6.0.0)
==19809== by 0x41F7E97: _XtTranslateEvent (in /usr/lib/libXt.so.6.0.0)
==19809== by 0x41CE671: XtDispatchEventToWidget (in /usr/lib/libXt.so.6.0.0)
==19809== by 0x41CEE89: (within /usr/lib/libXt.so.6.0.0)
==19809== by 0x41CDCF6: XtDispatchEvent (in /usr/lib/libXt.so.6.0.0)
==19809== by 0x41DABE9: XtAppProcessEvent (in /usr/lib/libXt.so.6.0.0)
==19809== by 0x81DA067: gui_xm_select_font (gui_xmdlg.c:1271)
==19809== by 0x81D2165: gui_mch_init_font (gui_x11.c:1853)
==19809== by 0x81C2716: gui_init_font (gui.c:715)
==19809== by 0x813D882: did_set_string_option (option.c:6116)
==19809== by 0x813B1C2: do_set (option.c:4679)
==19809== by 0x80B0268: ex_set (ex_docmd.c:10988)
==19809== by 0x80A34AC: do_one_cmd (ex_docmd.c:2629)
==19809== by 0x80A0CE3: do_cmdline (ex_docmd.c:1098)
==19809== by 0x8127266: nv_colon (normal.c:5224)
==19809== by 0x81208F6: normal_cmd (normal.c:1188)
==19809== by 0x80E3615: main_loop (main.c:1186)
==19809== by 0x80E3162: main (main.c:942)
Bug can be reproduced as follows:
- Compile Vim with Motif or lessTif.
- Run gvim with valgrind:
$ cd vim7/src
$ valgrind ./vim -f -g 2> valgrind.log
- Type Ex command: set guifont=*
- A window pops up to select a font
- Click any font (it does not matter which one)
- and observe in Valgrind output the error
Looking at the code, the use of freed memory is obvious:
vim7/src/gui_xmdlg.c:
632 if (!data->sel[which])
633 data->sel[which] = XtNewString(sel);
634 else
635 {
!636 XtFree(data->sel[which]);
!637 if (!strcmp(data->sel[which], sel))
638 {
639 /* unselecting current selection */
640 data->sel[which] = NULL;
641 if (w)
642 XmListDeselectItem(w, call_data->item);
643 }
644 else
645 data->sel[which] = XtNewString(sel);
646 }
'data->sel[which]' is freed at line 636 and used immediately
after in the next line 637.
Attached patch fixes it.
Regards
-- Dominique
--~--~---------~--~----~------------~-------~--~----~
You received this message from the "vim_dev" maillist.
For more information, visit http://www.vim.org/maillist.php
-~----------~----~----~----~------~----~------~--~---
Index: gui_xmdlg.c
===================================================================
RCS file: /cvsroot/vim/vim7/src/gui_xmdlg.c,v
retrieving revision 1.7
diff -c -r1.7 gui_xmdlg.c
*** gui_xmdlg.c 21 May 2009 21:26:58 -0000 1.7
--- gui_xmdlg.c 24 Oct 2009 07:46:29 -0000
***************
*** 10,16 ****
/*
* (C) 2001,2005 by Marcin Dalecki <mar...@dalecki.de>
*
! * Implementation of dialogue functions for the Motif GUI variant.
*
* Note about Lesstif: Apparently lesstif doesn't get the widget layout right,
* when using a dynamic scrollbar policy.
--- 10,16 ----
/*
* (C) 2001,2005 by Marcin Dalecki <mar...@dalecki.de>
*
! * Implementation of dialog functions for the Motif GUI variant.
*
* Note about Lesstif: Apparently lesstif doesn't get the widget layout right,
* when using a dynamic scrollbar policy.
***************
*** 633,648 ****
data->sel[which] = XtNewString(sel);
else
{
- XtFree(data->sel[which]);
if (!strcmp(data->sel[which], sel))
{
/* unselecting current selection */
data->sel[which] = NULL;
if (w)
XmListDeselectItem(w, call_data->item);
}
else
data->sel[which] = XtNewString(sel);
}
XtFree(sel);
--- 633,651 ----
data->sel[which] = XtNewString(sel);
else
{
if (!strcmp(data->sel[which], sel))
{
/* unselecting current selection */
+ XtFree(data->sel[which]);
data->sel[which] = NULL;
if (w)
XmListDeselectItem(w, call_data->item);
}
else
+ {
+ XtFree(data->sel[which]);
data->sel[which] = XtNewString(sel);
+ }
}
XtFree(sel);
