[patch] fixed uninitialized mem access with ":wundo foo" when foo exists & its size is 0

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

[patch] fixed uninitialized mem access with ":wundo foo" when foo exists & its size is 0

Dominique Pellé
Hi

I see the following error with Valgrind in Vim-7.3a BETA (c81f0a037059)
when doing  :wundo foo  and when file foo already exists and has size 0:

==4957== Conditional jump or move depends on uninitialised value(s)
==4957==    at 0x81BCB49: u_write_undo (undo.c:1293)
==4957==    by 0x80AFBE6: ex_wundo (ex_docmd.c:8471)
==4957==    by 0x80A70DC: do_one_cmd (ex_docmd.c:2639)
==4957==    by 0x80A49B5: do_cmdline (ex_docmd.c:1108)
==4957==    by 0x812A219: nv_colon (normal.c:5226)
==4957==    by 0x8123AA3: normal_cmd (normal.c:1188)
==4957==    by 0x80E71DC: main_loop (main.c:1216)
==4957==    by 0x80E6CD3: main (main.c:960)
==4957==  Uninitialised value was created by a stack allocation
==4957==    at 0x81BC9F2: u_write_undo (undo.c:1226)

undo.c:

1289                 char_u buf[2];
1290
1291                 vim_read(fd, buf, 2);
1292                 close(fd);
1293                 if ((buf[0] << 8) + buf[1] != UF_START_MAGIC)
1294                 {
1295                     if (name != NULL || p_verbose > 0)
1296                         smsg((char_u *)_("Will not overwrite,
this is not an undo file: %s"),
1297
 file_name);
1298                     goto theend;
1299                 }

Code did not check whether vim_read() succeeds at line undo.c:1291.
Attached patch fixes it.

-- Dominique

--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php

fixed-uninitmem-wundo-undo.c-7.3a.patch (726 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [patch] fixed uninitialized mem access with ":wundo foo" when foo exists & its size is 0

Bram Moolenaar

Dominique Pelle wrote:

> I see the following error with Valgrind in Vim-7.3a BETA (c81f0a037059)
> when doing  :wundo foo  and when file foo already exists and has size 0:
>
> ==4957== Conditional jump or move depends on uninitialised value(s)
> ==4957==    at 0x81BCB49: u_write_undo (undo.c:1293)
> ==4957==    by 0x80AFBE6: ex_wundo (ex_docmd.c:8471)
> ==4957==    by 0x80A70DC: do_one_cmd (ex_docmd.c:2639)
> ==4957==    by 0x80A49B5: do_cmdline (ex_docmd.c:1108)
> ==4957==    by 0x812A219: nv_colon (normal.c:5226)
> ==4957==    by 0x8123AA3: normal_cmd (normal.c:1188)
> ==4957==    by 0x80E71DC: main_loop (main.c:1216)
> ==4957==    by 0x80E6CD3: main (main.c:960)
> ==4957==  Uninitialised value was created by a stack allocation
> ==4957==    at 0x81BC9F2: u_write_undo (undo.c:1226)
>
> undo.c:
>
> 1289                 char_u buf[2];
> 1290
> 1291                 vim_read(fd, buf, 2);
> 1292                 close(fd);
> 1293                 if ((buf[0] << 8) + buf[1] != UF_START_MAGIC)
> 1294                 {
> 1295                     if (name != NULL || p_verbose > 0)
> 1296                         smsg((char_u *)_("Will not overwrite,
> this is not an undo file: %s"),
> 1297
>  file_name);
> 1298                     goto theend;
> 1299                 }
>
> Code did not check whether vim_read() succeeds at line undo.c:1291.
> Attached patch fixes it.

Thanks, I'll include it.

--
From "know your smileys":
 :-| :-|   Deja' vu!

 /// Bram Moolenaar -- [hidden email] -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\        download, build and distribute -- http://www.A-A-P.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

--
You received this message from the "vim_dev" maillist.
Do not top-post! Type your reply below the text you are replying to.
For more information, visit http://www.vim.org/maillist.php