Patch 8.2.1962
Problem: Netbeans may access freed memory.
Solution: Check the buffer pointer is still valid. Add a test. (Yegappan
Lakshmanan, closes #7248)
Files: src/netbeans.c, src/testdir/test_netbeans.vim
*** ../vim-8.2.1961/src/netbeans.c 2020-10-13 21:11:09.315812394 +0200
--- src/netbeans.c 2020-11-06 13:39:09.516189899 +0100
***************
*** 572,578 ****
buf = buf_list[i];
vim_free(buf.displayname);
vim_free(buf.signmap);
! if (buf.bufp != NULL)
{
buf.bufp->b_netbeans_file = FALSE;
buf.bufp->b_was_netbeans_file = FALSE;
--- 572,578 ----
buf = buf_list[i];
vim_free(buf.displayname);
vim_free(buf.signmap);
! if (buf.bufp != NULL && buf_valid(buf.bufp))
{
buf.bufp->b_netbeans_file = FALSE;
buf.bufp->b_was_netbeans_file = FALSE;
***************
*** 1943,1957 ****
if (STRLEN(fg) > MAX_COLOR_LENGTH || STRLEN(bg) > MAX_COLOR_LENGTH)
{
emsg("E532: highlighting color name too long in
defineAnnoType");
! vim_free(typeName);
parse_error = TRUE;
}
else if (typeName != NULL && tooltip != NULL && glyphFile != NULL)
addsigntype(buf, typeNum, typeName, tooltip, glyphFile, fg, bg);
- else
- vim_free(typeName);
! // don't free typeName; it's used directly in addsigntype()
vim_free(fg);
vim_free(bg);
vim_free(tooltip);
--- 1943,1955 ----
if (STRLEN(fg) > MAX_COLOR_LENGTH || STRLEN(bg) > MAX_COLOR_LENGTH)
{
emsg("E532: highlighting color name too long in
defineAnnoType");
! VIM_CLEAR(typeName);
parse_error = TRUE;
}
else if (typeName != NULL && tooltip != NULL && glyphFile != NULL)
addsigntype(buf, typeNum, typeName, tooltip, glyphFile, fg, bg);
! vim_free(typeName);
vim_free(fg);
vim_free(bg);
vim_free(tooltip);
***************
*** 3240,3246 ****
}
}
! globalsignmap[i] = (char *)typeName;
globalsignmapused = i + 1;
}
--- 3238,3244 ----
}
}
! globalsignmap[i] = (char *)vim_strsave(typeName);
globalsignmapused = i + 1;
}
*** ../vim-8.2.1961/src/testdir/test_netbeans.vim 2020-11-05
20:50:45.331984998 +0100
--- src/testdir/test_netbeans.vim 2020-11-06 13:36:49.348612758 +0100
***************
*** 34,42 ****
" Read the "Xnetbeans" file and filter out geometry messages.
func ReadXnetbeans()
let l = readfile("Xnetbeans")
! " Xnetbeans may include '0:geometry=' messages on GUI environment if window
" position, size, or z order are changed. Remove these messages because
! " will causes troubles on check.
return filter(l, 'v:val !~ "^0:geometry="')
endfunc
--- 34,42 ----
" Read the "Xnetbeans" file and filter out geometry messages.
func ReadXnetbeans()
let l = readfile("Xnetbeans")
! " Xnetbeans may include '0:geometry=' messages in the GUI Vim if the window
" position, size, or z order are changed. Remove these messages because
! " these message will break the assert for the output.
return filter(l, 'v:val !~ "^0:geometry="')
endfunc
***************
*** 388,394 ****
call assert_equal('send: 2:defineAnnoType!60 1 "s1" "x" "=>" blue none',
l[-1])
sleep 1m
call assert_equal({'name': '1', 'texthl': 'NB_s1', 'text': '=>'},
! \ sign_getdefined()[0])
let g:last += 3
" defineAnnoType with a long color name
--- 388,394 ----
call assert_equal('send: 2:defineAnnoType!60 1 "s1" "x" "=>" blue none',
l[-1])
sleep 1m
call assert_equal({'name': '1', 'texthl': 'NB_s1', 'text': '=>'},
! \ sign_getdefined()->get(0, {}))
let g:last += 3
" defineAnnoType with a long color name
***************
*** 892,895 ****
--- 892,935 ----
call s:run_server('Nb_quit_with_conn')
endfunc
+ func Nb_bwipe_buffer(port)
+ call delete("Xnetbeans")
+ call writefile([], "Xnetbeans")
+
+ " Last line number in the Xnetbeans file. Used to verify the result of the
+ " communication with the netbeans server
+ let g:last = 0
+
+ " Establish the connection with the netbeans server
+ exe 'nbstart :localhost:' .. a:port .. ':bunny'
+ call WaitFor('len(ReadXnetbeans()) > (g:last + 2)')
+ let l = ReadXnetbeans()
+ call assert_equal(['AUTH bunny',
+ \ '0:version=0 "2.5"',
+ \ '0:startupDone=0'], l[-3:])
+ let g:last += 3
+
+ " Open the command buffer to communicate with the server
+ split Xcmdbuf
+ call WaitFor('len(ReadXnetbeans()) > (g:last + 2)')
+ let l = ReadXnetbeans()
+ call assert_equal('0:fileOpened=0 "Xcmdbuf" T F',
+ \ substitute(l[-3], '".*/', '"', ''))
+ call assert_equal('send: 1:putBufferNumber!15 "Xcmdbuf"',
+ \ substitute(l[-2], '".*/', '"', ''))
+ call assert_equal('1:startDocumentListen!16', l[-1])
+ let g:last += 3
+
+ sleep 10m
+ endfunc
+
+ " This test used to reference a buffer after it was freed leading to an ASAN
+ " error.
+ func Test_nb_bwipe_buffer()
+ call s:run_server('Nb_bwipe_buffer')
+ %bwipe!
+ sleep 100m
+ nbclose
+ endfunc
+
" vim: shiftwidth=2 sts=2 expandtab
*** ../vim-8.2.1961/src/version.c 2020-11-05 20:50:45.331984998 +0100
--- src/version.c 2020-11-06 13:41:44.547727282 +0100
***************
*** 752,753 ****
--- 752,755 ----
{ /* Add new patch number below this line */
+ /**/
+ 1962,
/**/
--
panic("Foooooooood fight!");
-- In the kernel source aha1542.c, after detecting a bad segment list
/// Bram Moolenaar -- [email protected] -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
--
--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php
---
You received this message because you are subscribed to the Google Groups
"vim_dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/vim_dev/202011061244.0A6CitXC409186%40masaka.moolenaar.net.
