Hi
Using Vim-7.3a (2199:d0ddf7ba1630), I see the following
error with Valgrind memory checker:
==20219== Conditional jump or move depends on uninitialised value(s)
==20219== at 0x8117C52: free_crypt_key (misc2.c:3794)
==20219== by 0x8117D7E: get_crypt_key (misc2.c:3843)
==20219== by 0x80B466C: ex_X (ex_docmd.c:11127)
==20219== by 0x80A7864: do_one_cmd (ex_docmd.c:2629)
==20219== by 0x80A513D: do_cmdline (ex_docmd.c:1098)
==20219== by 0x812A99E: nv_colon (normal.c:5226)
==20219== by 0x812421F: normal_cmd (normal.c:1188)
==20219== by 0x80E75E2: main_loop (main.c:1208)
==20219== by 0x80E70D9: main (main.c:952)
==20219== Uninitialised value was created by a heap allocation
==20219== at 0x4024F70: malloc (vg_replace_malloc.c:236)
==20219== by 0x8114BFC: lalloc (misc2.c:919)
==20219== by 0x8114B06: alloc (misc2.c:818)
==20219== by 0x80BB110: alloc_cmdbuff (ex_getln.c:2509)
==20219== by 0x80B76DB: getcmdline (ex_getln.c:229)
==20219== by 0x80BA5FC: getcmdline_prompt (ex_getln.c:1961)
==20219== by 0x8117CD0: get_crypt_key (misc2.c:3819)
==20219== by 0x80B466C: ex_X (ex_docmd.c:11127)
==20219== by 0x80A7864: do_one_cmd (ex_docmd.c:2629)
==20219== by 0x80A513D: do_cmdline (ex_docmd.c:1098)
==20219== by 0x812A99E: nv_colon (normal.c:5226)
==20219== by 0x812421F: normal_cmd (normal.c:1188)
==20219== by 0x80E75E2: main_loop (main.c:1208)
==20219== by 0x80E70D9: main (main.c:952)
(more errors after that)
Steps to reproduce:
1) Run:
valgrind --num-callers=50 --track-origins=yes 2> vg.log vim -u NONE
2) Type Ex command :X
3) Enter an encryption key which contains an _odd_ number of char (ex: "123")
4) Observe Valgrind errors in vg.log
misc2.c:
3786 void
3787 free_crypt_key(key)
3788 char_u *key;
3789 {
3790 char_u *p;
3791
3792 if (key != NULL)
3793 {
3794 for (p = key; *p != NUL; ++p)
3795 *p++ = 0;
3796 vim_free(key);
3797 }
3798 }
free_crypt_key() is clearing only half the characters since 'p' is
incremented twice per iteration. When key has odd number of characters,
memory is read beyond allocated memory and may also be cleared
beyond the allocated memory.
Attached patch fixes it.
Regards
-- Dominique
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
diff -r 495995b9ce7d src/misc2.c
--- a/src/misc2.c Sat May 22 15:50:12 2010 +0200
+++ b/src/misc2.c Sat May 22 21:08:55 2010 +0200
@@ -3792,7 +3792,7 @@
if (key != NULL)
{
for (p = key; *p != NUL; ++p)
- *p++ = 0;
+ *p = 0;
vim_free(key);
}
}
@@ -4100,7 +4100,7 @@
/*
* Initialization routine for vim_findfile.
*
- * Returns the newly allocated search context or NULL if an error occured.
+ * Returns the newly allocated search context or NULL if an error occurred.
*
* Don't forget to clean up by calling vim_findfile_cleanup() if you are done
* with the search context.
@@ -4121,7 +4121,7 @@
*
* If the 'path' is relative, the starting dir for the search is either VIM's
* current dir or if the path starts with "./" the current files dir.
- * If the 'path' is absolut, the starting dir is that part of the path before
+ * If the 'path' is absolute, the starting dir is that part of the path before
* the first wildcard.
*
* Upward search is only done on the starting dir.
