To: vim-dev@vim.org Subject: Patch 6.2.187 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit ------------ Patch 6.2.187 Problem: Using Insure++ reveals a number of bugs. (Dominuque Pelle) Solution: Initialize variables where needed. Free allocated memory to avoid leaks. Fix comparing tags to avoid reading past allocated memory. Files: src/buffer.c, src/diff.c, src/fileio.c, src/mark.c, src/misc1.c, src/misc2.c, src/ops.c, src/option.c, src/tag.c, src/ui.c *** ../vim-6.2.186/src/buffer.c Sun Nov 9 20:35:08 2003 --- src/buffer.c Thu Jan 15 22:10:02 2004 *************** *** 4085,4090 **** --- 4085,4091 ---- #ifdef FEAT_AUTOCMD --autocmd_no_leave; #endif + vim_free(opened); } # if defined(FEAT_LISTCMDS) || defined(PROTO) *** ../vim-6.2.186/src/diff.c Sun Oct 27 19:28:04 2002 --- src/diff.c Fri Jan 16 11:52:11 2004 *************** *** 952,958 **** curwin = wp; curbuf = curwin->w_buffer; set_string_option_direct((char_u *)"fdm", -1, (char_u *)"diff", ! OPT_LOCAL); curwin = old_curwin; curbuf = curwin->w_buffer; wp->w_p_fdc = 2; --- 952,958 ---- curwin = wp; curbuf = curwin->w_buffer; set_string_option_direct((char_u *)"fdm", -1, (char_u *)"diff", ! OPT_LOCAL|OPT_FREE); curwin = old_curwin; curbuf = curwin->w_buffer; wp->w_p_fdc = 2; *** ../vim-6.2.186/src/fileio.c Fri Jan 9 14:33:14 2004 --- src/fileio.c Thu Jan 15 22:07:40 2004 *************** *** 3233,3239 **** #if defined(UNIX) && !defined(ARCHIE) /* When using ":w!" and the file was read-only: make it writable */ ! if (forceit && st_old.st_uid == getuid() && perm >= 0 && !(perm & 0200) && vim_strchr(p_cpo, CPO_FWRITE) == NULL) { perm |= 0200; --- 3262,3268 ---- #if defined(UNIX) && !defined(ARCHIE) /* When using ":w!" and the file was read-only: make it writable */ ! if (forceit && perm >= 0 && !(perm & 0200) && st_old.st_uid == getuid() && vim_strchr(p_cpo, CPO_FWRITE) == NULL) { perm |= 0200; *** ../vim-6.2.186/src/mark.c Sat Sep 27 19:36:47 2003 --- src/mark.c Fri Jan 16 11:56:14 2004 *************** *** 1140,1151 **** name = buflist_nr2name(fm->fmark.fnum, TRUE, FALSE); else name = fm->fname; /* use name from .viminfo */ ! if (name == NULL || *name == NUL) ! return; ! ! fprintf(fp, "%c%c %ld %ld ", c1, c2, (long)fm->fmark.mark.lnum, (long)fm->fmark.mark.col); ! viminfo_writestring(fp, name); if (fm->fmark.fnum != 0) vim_free(name); } --- 1145,1157 ---- name = buflist_nr2name(fm->fmark.fnum, TRUE, FALSE); else name = fm->fname; /* use name from .viminfo */ ! if (name != NULL && *name != NUL) ! { ! fprintf(fp, "%c%c %ld %ld ", c1, c2, (long)fm->fmark.mark.lnum, (long)fm->fmark.mark.col); ! viminfo_writestring(fp, name); ! } ! if (fm->fmark.fnum != 0) vim_free(name); } *** ../vim-6.2.186/src/misc1.c Sun Jan 18 20:15:02 2004 --- src/misc1.c Sun Jan 18 16:07:34 2004 *************** *** 1368,1373 **** --- 1368,1374 ---- curwin->w_cursor.coladd = 0; #endif ins_bytes(p_extra); /* will call changed_bytes() */ + vim_free(p_extra); next_line = NULL; } #endif *** ../vim-6.2.186/src/misc2.c Sat Sep 27 19:36:47 2003 --- src/misc2.c Fri Jan 16 15:19:08 2004 *************** *** 2129,2135 **** char_u *dst; int keycode; /* prefer key code, e.g. K_DEL instead of DEL */ { ! int modifiers; int key; int dlen = 0; --- 2129,2135 ---- char_u *dst; int keycode; /* prefer key code, e.g. K_DEL instead of DEL */ { ! int modifiers = 0; int key; int dlen = 0; *************** *** 4368,4373 **** --- 4368,4376 ---- while (vl != NULL) { vp = vl->ffv_next; + #ifdef FEAT_PATH_EXTRA + vim_free(vl->ffv_wc_path); + #endif vim_free(vl); vl = vp; } *** ../vim-6.2.186/src/ops.c Sun Oct 12 16:56:43 2003 --- src/ops.c Thu Jan 15 22:30:37 2004 *************** *** 5610,5619 **** if (s == NULL) break; if (extra) - { mch_memmove(s, y_ptr->y_array[lnum], (size_t)extra); vim_free(y_ptr->y_array[lnum]); - } if (i) mch_memmove(s + extra, str + start, (size_t)i); extra += i; --- 5610,5618 ---- if (s == NULL) break; if (extra) mch_memmove(s, y_ptr->y_array[lnum], (size_t)extra); + if (append) vim_free(y_ptr->y_array[lnum]); if (i) mch_memmove(s + extra, str + start, (size_t)i); extra += i; *** ../vim-6.2.186/src/option.c Sun Oct 26 20:19:23 2003 --- src/option.c Thu Jan 15 22:03:06 2004 *************** *** 7008,7013 **** --- 7008,7014 ---- else { --arg; /* put arg at the '<' */ + modifiers = 0; key = find_special_key(&arg, &modifiers, TRUE); if (modifiers) /* can't handle modifiers here */ key = 0; *** ../vim-6.2.186/src/tag.c Mon Dec 29 19:48:35 2003 --- src/tag.c Sun Jan 18 13:05:42 2004 *************** *** 1066,1071 **** --- 1066,1076 ---- int is_etag; /* current file is emaces style */ #endif + struct match_found + { + int len; /* nr of chars of match[] to be compared */ + char_u match[1]; /* actually longer */ + } *mfp, *mfp2; garray_T ga_match[MT_COUNT]; int match_count = 0; /* number of matches found */ char_u **matches; *************** *** 1110,1116 **** ebuf = alloc(LSIZE); #endif for (mtt = 0; mtt < MT_COUNT; ++mtt) ! ga_init2(&ga_match[mtt], (int)sizeof(char_u *), 100); /* check for out of memory situation */ if (lbuf == NULL || tag_fname == NULL --- 1115,1121 ---- ebuf = alloc(LSIZE); #endif for (mtt = 0; mtt < MT_COUNT; ++mtt) ! ga_init2(&ga_match[mtt], (int)sizeof(struct match_found *), 100); /* check for out of memory situation */ if (lbuf == NULL || tag_fname == NULL *************** *** 1726,1738 **** cc = *tagp.tagname_end; *tagp.tagname_end = NUL; match = vim_regexec(®match, tagp.tagname, (colnr_T)0); ! matchoff = (int)(regmatch.startp[0] - tagp.tagname); ! if (match && regmatch.rm_ic) { ! regmatch.rm_ic = FALSE; ! match_no_ic = vim_regexec(®match, tagp.tagname, (colnr_T)0); ! regmatch.rm_ic = TRUE; } *tagp.tagname_end = cc; match_re = TRUE; --- 1731,1746 ---- cc = *tagp.tagname_end; *tagp.tagname_end = NUL; match = vim_regexec(®match, tagp.tagname, (colnr_T)0); ! if (match) { ! matchoff = (int)(regmatch.startp[0] - tagp.tagname); ! if (regmatch.rm_ic) ! { ! regmatch.rm_ic = FALSE; ! match_no_ic = vim_regexec(®match, tagp.tagname, (colnr_T)0); ! regmatch.rm_ic = TRUE; ! } } *tagp.tagname_end = cc; match_re = TRUE; *************** *** 1793,1798 **** --- 1801,1811 ---- mtt += MT_RE_OFF; } + /* + * Add the found match in ga_match[mtt], avoiding duplicates. + * Store the info we need later, which depends on the kind of + * tags we are dealing with. + */ if (ga_grow(&ga_match[mtt], 1) == OK) { if (help_only) *************** *** 1803,1846 **** */ *tagp.tagname_end = NUL; len = (int)(tagp.tagname_end - tagp.tagname); ! p = vim_strnsave(tagp.tagname, len + 10); ! if (p != NULL) sprintf((char *)p + len + 1, "%06d", help_heuristic(tagp.tagname, match_re ? matchoff : 0, !match_no_ic)); *tagp.tagname_end = TAB; - ++len; /* compare one more char */ } else if (name_only) { - p = NULL; - len = 0; if (get_it_again) { char_u *temp_end = tagp.command; ! if ((*temp_end) == '/') ! while ( *temp_end && (*temp_end != '\r') ! && (*temp_end != '\n') ! && (*temp_end != '$')) temp_end++; ! if ((tagp.command + 2) < temp_end) { len = (int)(temp_end - tagp.command - 2); ! p = vim_strnsave(tagp.command + 2, len); } get_it_again = FALSE; } else { len = (int)(tagp.tagname_end - tagp.tagname); ! p = vim_strnsave(tagp.tagname, len); ! /* if wanted, re-read line to get long form too*/ if (State & INSERT) get_it_again = p_sft; } - ++len; /* compare one more char */ } else { --- 1816,1880 ---- */ *tagp.tagname_end = NUL; len = (int)(tagp.tagname_end - tagp.tagname); ! mfp = (struct match_found *) ! alloc(sizeof(struct match_found) + len + 10); ! if (mfp != NULL) ! { ! mfp->len = len + 1; /* also compare the NUL */ ! p = mfp->match; ! STRCPY(p, tagp.tagname); sprintf((char *)p + len + 1, "%06d", help_heuristic(tagp.tagname, match_re ? matchoff : 0, !match_no_ic)); + } *tagp.tagname_end = TAB; } else if (name_only) { if (get_it_again) { char_u *temp_end = tagp.command; ! if (*temp_end == '/') ! while (*temp_end && *temp_end != '\r' ! && *temp_end != '\n' ! && *temp_end != '$') temp_end++; ! if (tagp.command + 2 < temp_end) { len = (int)(temp_end - tagp.command - 2); ! mfp = (struct match_found *) ! alloc(sizeof(struct match_found) + len); ! if (mfp != NULL) ! { ! mfp->len = len + 1; /* include the NUL */ ! p = mfp->match; ! STRNCPY(p, tagp.command + 2, len); ! p[len] = NUL; ! } } + else + mfp = NULL; get_it_again = FALSE; } else { len = (int)(tagp.tagname_end - tagp.tagname); ! mfp = (struct match_found *) ! alloc(sizeof(struct match_found) + len); ! if (mfp != NULL) ! { ! mfp->len = len + 1; /* include the NUL */ ! p = mfp->match; ! STRNCPY(p, tagp.tagname, len); ! p[len] = NUL; ! } ! ! /* if wanted, re-read line to get long form too */ if (State & INSERT) get_it_again = p_sft; } } else { *************** *** 1856,1864 **** else ++len; #endif ! p = alloc(len); ! if (p != NULL) { p[0] = mtt; STRCPY(p + 1, tag_fname); #ifdef BACKSLASH_IN_FILENAME --- 1890,1901 ---- else ++len; #endif ! mfp = (struct match_found *) ! alloc(sizeof(struct match_found) + len); ! if (mfp != NULL) { + mfp->len = len; + p = mfp->match; p[0] = mtt; STRCPY(p + 1, tag_fname); #ifdef BACKSLASH_IN_FILENAME *************** *** 1880,1886 **** } } ! if (p != NULL) { /* * Don't add identical matches. --- 1917,1923 ---- } } ! if (mfp != NULL) { /* * Don't add identical matches. *************** *** 1895,1915 **** #endif for (i = ga_match[mtt].ga_len; --i >= 0 && !got_int; ) { ! if (vim_memcmp( ! ((char_u **)(ga_match[mtt].ga_data))[i], ! p, (size_t)len) == 0) ! break; ! line_breakcheck(); } if (i < 0) { ! ((char_u **)(ga_match[mtt].ga_data)) ! [ga_match[mtt].ga_len++] = p; ga_match[mtt].ga_room--; ++match_count; } else ! vim_free(p); } } else /* Out of memory! Just forget about the rest. */ --- 1932,1954 ---- #endif for (i = ga_match[mtt].ga_len; --i >= 0 && !got_int; ) { ! mfp2 = ((struct match_found **) ! (ga_match[mtt].ga_data))[i]; ! if (mfp2->len == mfp->len ! && vim_memcmp(mfp2->match, mfp->match, ! (size_t)mfp->len) == 0) ! break; ! line_breakcheck(); } if (i < 0) { ! ((struct match_found **)(ga_match[mtt].ga_data)) ! [ga_match[mtt].ga_len++] = mfp; ga_match[mtt].ga_room--; ++match_count; } else ! vim_free(mfp); } } else /* Out of memory! Just forget about the rest. */ *************** *** 2021,2031 **** { for (i = 0; i < ga_match[mtt].ga_len; ++i) { ! p = ((char_u **)(ga_match[mtt].ga_data))[i]; if (matches == NULL) ! vim_free(p); else ! matches[match_count++] = p; } ga_clear(&ga_match[mtt]); } --- 2060,2077 ---- { for (i = 0; i < ga_match[mtt].ga_len; ++i) { ! mfp = ((struct match_found **)(ga_match[mtt].ga_data))[i]; if (matches == NULL) ! vim_free(mfp); else ! { ! /* To avoid allocating memory again we turn the struct ! * match_found into a string. For help the priority was not ! * included in the length. */ ! mch_memmove(mfp, mfp->match, ! (size_t)(mfp->len + (help_only ? 9 : 0))); ! matches[match_count++] = (char_u *)mfp; ! } } ga_clear(&ga_match[mtt]); } *** ../vim-6.2.186/src/ui.c Sat Sep 27 19:36:47 2003 --- src/ui.c Thu Jan 15 22:16:00 2004 *************** *** 1539,1544 **** --- 1539,1545 ---- /* * Restore the input buffer with a pointer returned from get_input_buf(). + * The allocated memory is freed, this only works once! */ void set_input_buf(p) *************** *** 1546,1555 **** { garray_T *gap = (garray_T *)p; ! if (gap != NULL && gap->ga_data != NULL) { ! mch_memmove(inbuf, gap->ga_data, gap->ga_len); ! inbufcount = gap->ga_len; } } #endif --- 1547,1561 ---- { garray_T *gap = (garray_T *)p; ! if (gap != NULL) { ! if (gap->ga_data != NULL) ! { ! mch_memmove(inbuf, gap->ga_data, gap->ga_len); ! inbufcount = gap->ga_len; ! vim_free(gap->ga_data); ! } ! vim_free(gap); } } #endif *** ../vim-6.2.186/src/version.c Sun Jan 18 20:50:42 2004 --- src/version.c Sun Jan 18 20:52:09 2004 *************** *** 639,640 **** --- 639,642 ---- { /* Add new patch number below this line */ + /**/ + 187, /**/ -- ARTHUR: I did say sorry about the `old woman,' but from the behind you looked-- DENNIS: What I object to is you automatically treat me like an inferior! ARTHUR: Well, I AM king... The Quest for the Holy Grail (Monty Python) /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// Sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ Project leader for A-A-P -- http://www.A-A-P.org /// \\\ Help AIDS victims, buy here: http://ICCF-Holland.org/click1.html ///