Re: [patch] fixed uninitialized memory access + leak in ml_recover()

Sun, 25 Jul 2010 05:00:56 -0700 

Dominique Pellé wrote:

> Dominique Pellé wrote:
>
>> Latest Vim-7.3b BETA (2401:f380d5227fad) accesses uninitialized memory
>> when doing this:
>
> Sorry, i forgot to attach the patch in my previous email.
> Here it is.


Having a second look at the code of ml_recover(), I see another bug
which already existed before my patch: there is a path were ml_recover()
can do "goto theend" after allocating buf and before initializing buf->b_p_key
and buf->b_p_cm.  Free memory would then be used when freeing
buf->p_p_key and buf->b_p_cm.

Attached new patch also fixes this issue.

-- Dominique

-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

diff -r f380d5227fad src/memline.c
--- a/src/memline.c	Sun Jul 25 13:12:49 2010 +0200
+++ b/src/memline.c	Sun Jul 25 13:54:16 2010 +0200
@@ -1155,7 +1155,7 @@
 
     /*
      * Allocate a buffer structure for the swap file that is used for recovery.
-     * Only the memline in it is really used.
+     * Only the memline and crypt information in it are really used.
      */
     buf = (buf_T *)alloc((unsigned)sizeof(buf_T));
     if (buf == NULL)
@@ -1170,6 +1170,10 @@
     buf->b_ml.ml_line_lnum = 0;		/* no cached line */
     buf->b_ml.ml_locked = NULL;		/* no locked block */
     buf->b_ml.ml_flags = 0;
+#ifdef FEAT_CRYPT
+    buf->b_p_key = empty_option;
+    buf->b_p_cm = empty_option;
+#endif
 
     /*
      * open the memfile from the old swap file
@@ -1187,7 +1191,6 @@
     buf->b_ml.ml_mfp = mfp;
 #ifdef FEAT_CRYPT
     mfp->mf_buffer = buf;
-    buf->b_p_key = empty_option;
 #endif
 
     /*
@@ -1685,6 +1688,7 @@
 #ifdef FEAT_CRYPT
 	if (buf->b_p_key != curbuf->b_p_key)
 	    free_string_option(buf->b_p_key);
+	free_string_option(buf->b_p_cm);
 #endif
 	vim_free(buf->b_ml.ml_stack);
 	vim_free(buf);
@@ -4939,7 +4943,7 @@
 #define MLCS_MINL 400   /* should be half of MLCS_MAXL */
 
 /*
- * Keep information for finding byte offset of a line, updtytpe may be one of:
+ * Keep information for finding byte offset of a line, updtype may be one of:
  * ML_CHNK_ADDLINE: Add len to parent chunk, possibly splitting it
  *	   Careful: ML_CHNK_ADDLINE may cause ml_find_line() to be called.
  * ML_CHNK_DELLINE: Subtract len from parent chunk, possibly deleting it

Raspunde prin e-mail lui