Re: Crash with spell suggestions, 7.4a.24

Mon, 15 Jul 2013 03:02:19 -0700 

On 15/07/2013 09:40, Mike Williams wrote:

Hi,

Been playing with reduced maxmem and found I can crash VIM when getting
spelling suggestions.  The following will reproduce the crash under
Windows (line wrapped, and lots of fun getting the double quotes right):

gvim -u NONE -U NONE -c "call feedkeys("":set" "maxmem=512"
"spell\<CR>iasd\<ESC>z=""")"

The crash is in mf_write_block() checking the encrypt key
*mfp->mf_buffer->b_p_key when the pointer is NULL.  Since the pointer is
expected to be valid then there is a path through the spell code that is
not setting up the buffer parameters right.  Sorry no time at the moment
to dive any deeper.

My Vim is built with (ie features is big):

nmake -f make_mvc.mak GUI=yes WINVER=0x0501 CPUNR=pentium4
POSTSCRIPT=yes PYTHON=h:\python27 PYTHON_VER=27 DYNAMIC_PYTHON=yes

Reproducible under unix as well.
Scratched the itch - attached is patch to fix the crash. There may be other lurking gotchas with the minimal buffer initialisation created by the spell code. 

Mike
--
I wish I were what I was when I wished I were what I am now.

--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
--- You received this message because you are subscribed to the Google Groups "vim_dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.



diff --git a/src/spell.c b/src/spell.c
--- a/src/spell.c
+++ b/src/spell.c
@@ -9052,6 +9052,15 @@ open_spellbuf()
     buf = (buf_T *)alloc_clear(sizeof(buf_T));
     if (buf != NULL)
     {
+#ifdef FEAT_CRYPT
+        buf->b_p_key = (char_u *)alloc_clear(sizeof(char_u));
+        if (buf->b_p_key == NULL)
+        {
+            vim_free(buf);
+            return NULL;
+        }
+        *buf->b_p_key = NUL;
+#endif
        buf->b_spell = TRUE;
        buf->b_p_swf = TRUE;    /* may create a swap file */
        ml_open(buf);
@@ -9070,6 +9079,9 @@ close_spellbuf(buf)
     if (buf != NULL)
     {
        ml_close(buf, TRUE);
+#ifdef FEAT_CRYPT
+        vim_free(buf->b_p_key);
+#endif
        vim_free(buf);
     }
 }

Raspunde prin e-mail lui