[patch] Crash in f_readfile(...) when building Vim with -DMEM_PROFILE

Dominique Pellé Sun, 13 May 2012 16:33:03 -0700

Hi

Vim calls realloc(NULL, size) which is fine in ANSI C: calling it with
NULL as first argument is equivalent to calling malloc(size).


However, it causes a crash when compiling Vim with -DMEM_PROFILE
since function mem_realloc(ptr, size) does not handle NULL as
first argument.

Steps to reproduce:

1) Compile Vim with -DMEM_PROFILE
2) Run:
   $ touch foo; ./vim -u NONE -c "call readfile('foo')"
   Vim: Caught deadly signal SEGV
   Vim: Finished.
   Segmentation fault (core dumped)

Program received signal SIGSEGV, Segmentation fault.
0x081538c2 in mem_pre_free (pp=0xbfffe174) at misc2.c:756
756         size = *(size_t *)*pp;
(gdb) bt
#0  0x081538c2 in mem_pre_free (pp=0xbfffe174) at misc2.c:756
#1  0x0815385d in mem_realloc (ptr=0xfffffffc, size=28) at misc2.c:992
#2  0x0809af4b in f_readfile (argvars=0xbfffe790, rettv=0xbfffe938) at
eval.c:14646
#3  0x08082c54 in call_func (funcname=0x832d80c "readfile", len=8,
rettv=0xbfffe938, argcount=1,
    argvars=0xbfffe790, firstline=1, lastline=1, doesrange=0xbfffe930,
evaluate=1, selfdict=0x0)
    at eval.c:8478
#4  0x0808578a in get_func_tv (name=0x832d80c "readfile", len=8,
rettv=0xbfffe938, arg=0xbfffe954,
    firstline=1, lastline=1, doesrange=0xbfffe930, evaluate=1,
selfdict=0x0) at eval.c:8291
#5  0x08084ca6 in ex_call (eap=0xbfffeaf8) at eval.c:3450
#6  0x080c8fb8 in do_one_cmd (cmdlinep=0xbffff000, sourcing=1,
cstack=0xbfffece8, fgetline=0, cookie=0x0)
    at ex_docmd.c:2668
#7  0x080c54be in do_cmdline (cmdline=0xbffff573 "call
readfile('foo')", fgetline=0, cookie=0x0, flags=11)
    at ex_docmd.c:1122
#8  0x080c62cf in do_cmdline_cmd (cmd=0xbffff573 "call
readfile('foo')") at ex_docmd.c:727
#9  0x08274991 in exe_commands (parmp=0xbffff250) at main.c:2842
#10 0x08271262 in main (argc=5, argv=0xbffff3c4) at main.c:909

Attached "fix-mem_pre_free-7.3.515.patch" fixes it.

Furthermore, even if realloc(NULL, size) is fine in ANSI C, it may
not be fully portable on pre-ANSI C according to this link:

  http://c-faq.com/malloc/reallocnull.html

So second attached patch "fix-realloc-7.3.515.patch" makes Vim
more portable on systems where realloc(NULL, ...) may not work.
It fixes the call to vim_realloc() in f_readfile() rather than the
implementation of vim_realloc() since I think it's  the only place
where vim_realloc() is called with NULL as first argument. But it
could be safer to change vim_realloc() to handle NULL as first
argument.

Regards
-- Dominique

-- 
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

fix-mem_pre_free-7.3.515.patch
Description: Binary data

fix-realloc-7.3.515.patch
Description: Binary data

[patch] Crash in f_readfile(...) when building Vim with -DMEM_PROFILE

Raspunde prin e-mail lui