To: vim_dev@googlegroups.com Subject: Patch 8.2.1962 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 8.2.1962 Problem: Netbeans may access freed memory. Solution: Check the buffer pointer is still valid. Add a test. (Yegappan Lakshmanan, closes #7248) Files: src/netbeans.c, src/testdir/test_netbeans.vim *** ../vim-8.2.1961/src/netbeans.c 2020-10-13 21:11:09.315812394 +0200 --- src/netbeans.c 2020-11-06 13:39:09.516189899 +0100 *************** *** 572,578 **** buf = buf_list[i]; vim_free(buf.displayname); vim_free(buf.signmap); ! if (buf.bufp != NULL) { buf.bufp->b_netbeans_file = FALSE; buf.bufp->b_was_netbeans_file = FALSE; --- 572,578 ---- buf = buf_list[i]; vim_free(buf.displayname); vim_free(buf.signmap); ! if (buf.bufp != NULL && buf_valid(buf.bufp)) { buf.bufp->b_netbeans_file = FALSE; buf.bufp->b_was_netbeans_file = FALSE; *************** *** 1943,1957 **** if (STRLEN(fg) > MAX_COLOR_LENGTH || STRLEN(bg) > MAX_COLOR_LENGTH) { emsg("E532: highlighting color name too long in defineAnnoType"); ! vim_free(typeName); parse_error = TRUE; } else if (typeName != NULL && tooltip != NULL && glyphFile != NULL) addsigntype(buf, typeNum, typeName, tooltip, glyphFile, fg, bg); - else - vim_free(typeName); ! // don't free typeName; it's used directly in addsigntype() vim_free(fg); vim_free(bg); vim_free(tooltip); --- 1943,1955 ---- if (STRLEN(fg) > MAX_COLOR_LENGTH || STRLEN(bg) > MAX_COLOR_LENGTH) { emsg("E532: highlighting color name too long in defineAnnoType"); ! VIM_CLEAR(typeName); parse_error = TRUE; } else if (typeName != NULL && tooltip != NULL && glyphFile != NULL) addsigntype(buf, typeNum, typeName, tooltip, glyphFile, fg, bg); ! vim_free(typeName); vim_free(fg); vim_free(bg); vim_free(tooltip); *************** *** 3240,3246 **** } } ! globalsignmap[i] = (char *)typeName; globalsignmapused = i + 1; } --- 3238,3244 ---- } } ! globalsignmap[i] = (char *)vim_strsave(typeName); globalsignmapused = i + 1; } *** ../vim-8.2.1961/src/testdir/test_netbeans.vim 2020-11-05 20:50:45.331984998 +0100 --- src/testdir/test_netbeans.vim 2020-11-06 13:36:49.348612758 +0100 *************** *** 34,42 **** " Read the "Xnetbeans" file and filter out geometry messages. func ReadXnetbeans() let l = readfile("Xnetbeans") ! " Xnetbeans may include '0:geometry=' messages on GUI environment if window " position, size, or z order are changed. Remove these messages because ! " will causes troubles on check. return filter(l, 'v:val !~ "^0:geometry="') endfunc --- 34,42 ---- " Read the "Xnetbeans" file and filter out geometry messages. func ReadXnetbeans() let l = readfile("Xnetbeans") ! " Xnetbeans may include '0:geometry=' messages in the GUI Vim if the window " position, size, or z order are changed. Remove these messages because ! " these message will break the assert for the output. return filter(l, 'v:val !~ "^0:geometry="') endfunc *************** *** 388,394 **** call assert_equal('send: 2:defineAnnoType!60 1 "s1" "x" "=>" blue none', l[-1]) sleep 1m call assert_equal({'name': '1', 'texthl': 'NB_s1', 'text': '=>'}, ! \ sign_getdefined()[0]) let g:last += 3 " defineAnnoType with a long color name --- 388,394 ---- call assert_equal('send: 2:defineAnnoType!60 1 "s1" "x" "=>" blue none', l[-1]) sleep 1m call assert_equal({'name': '1', 'texthl': 'NB_s1', 'text': '=>'}, ! \ sign_getdefined()->get(0, {})) let g:last += 3 " defineAnnoType with a long color name *************** *** 892,895 **** --- 892,935 ---- call s:run_server('Nb_quit_with_conn') endfunc + func Nb_bwipe_buffer(port) + call delete("Xnetbeans") + call writefile([], "Xnetbeans") + + " Last line number in the Xnetbeans file. Used to verify the result of the + " communication with the netbeans server + let g:last = 0 + + " Establish the connection with the netbeans server + exe 'nbstart :localhost:' .. a:port .. ':bunny' + call WaitFor('len(ReadXnetbeans()) > (g:last + 2)') + let l = ReadXnetbeans() + call assert_equal(['AUTH bunny', + \ '0:version=0 "2.5"', + \ '0:startupDone=0'], l[-3:]) + let g:last += 3 + + " Open the command buffer to communicate with the server + split Xcmdbuf + call WaitFor('len(ReadXnetbeans()) > (g:last + 2)') + let l = ReadXnetbeans() + call assert_equal('0:fileOpened=0 "Xcmdbuf" T F', + \ substitute(l[-3], '".*/', '"', '')) + call assert_equal('send: 1:putBufferNumber!15 "Xcmdbuf"', + \ substitute(l[-2], '".*/', '"', '')) + call assert_equal('1:startDocumentListen!16', l[-1]) + let g:last += 3 + + sleep 10m + endfunc + + " This test used to reference a buffer after it was freed leading to an ASAN + " error. + func Test_nb_bwipe_buffer() + call s:run_server('Nb_bwipe_buffer') + %bwipe! + sleep 100m + nbclose + endfunc + " vim: shiftwidth=2 sts=2 expandtab *** ../vim-8.2.1961/src/version.c 2020-11-05 20:50:45.331984998 +0100 --- src/version.c 2020-11-06 13:41:44.547727282 +0100 *************** *** 752,753 **** --- 752,755 ---- { /* Add new patch number below this line */ + /**/ + 1962, /**/ -- panic("Foooooooood fight!"); -- In the kernel source aha1542.c, after detecting a bad segment list /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ \\\ an exciting new programming language -- http://www.Zimbu.org /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///