Pawel S. Veselov wrote:
> VIM (6.3.85p0) on openBSD 3.8, built from /usr/ports.
>
> in message.c there is a probable SEGV in msg_may_trunc() function.
> If multibyte string is passed in, and the size of the string in characters
> is less than room, but size in bytes is more than room, the (s-1) address
> is then written to, as (n) becomes -1.
>
> The attached patch should help. Should work on 6.4 as well.
>
> What I still don't understand is how it is OK to replace some position
> in asciiz string with '>'. Does anything guarantee that the position the
> '>' is written to is not a part of a multibyte character ?
Strange that this has gone unnoticed so long. It's probably because it
only happens when using IObuff as the buffer, which is never freed.
Then using one byte before the buffer writes in the length of the
buffer, and if you don't free it that is not causing trouble. But
of course it's bad anyway, just an explanation why we haven't seen
crashes all around.
A simpler solution is to check for "n" being negative and not doing
anything then. Like this:
Index: message.c
===================================================================
RCS file: /cvsroot/vim/vim7/src/message.c,v
retrieving revision 1.32
diff -u -r1.32 message.c
--- message.c 3 Oct 2005 21:50:54 -0000 1.32
+++ message.c 21 Dec 2005 21:40:36 -0000
@@ -727,6 +727,10 @@
size -= (*mb_ptr2cells)(s + n);
n += (*mb_ptr2len)(s + n);
}
+
+ /* there may be room anyway when there are multi-byte chars */
+ if (n == 0)
+ return s;
--n;
}
#endif
--
It might look like I'm doing nothing, but at the cellular level
I'm really quite busy.
/// Bram Moolenaar --
[hidden email] --
http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features --
http://www.Vim.org/sponsor/ \\\
\\\ download, build and distribute --
http://www.A-A-P.org ///
\\\ help me help AIDS victims --
http://www.ICCF.nl ///
Locked
message.diff (715 bytes)