Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid release bug at fileio.c #4804

Closed
wants to merge 1 commit into from

Conversation

@JZuming
Copy link

commented Aug 12, 2019

I found a invalid release bug at fileio.c.

The malloc() in the call stack shown below may fail:
#0 Call malloc() in lalloc(), at misc2.c: 924
#1 Call lalloc() in alloc(), at misc2.c: 827
#2 Call alloc() in enc_canonize(), at mbyte.c: 4323
#3 Call enc_canonize() in next_fenc(), at fileio.c: 2789
#4 Call next_fenc() in readfile(), at fileio.c: 893
#5 Call readfile() in open_buffer(), at buffer.c: 233
#6 Call open_buffer() in create_windows(), at main.c: 2750
#7 Call create_windows() in vim_main2(), at main.c: 728
#8 Call vim_main2() in main(), at main.c: 444

If the malloc() in this call stack fails, it will finally make the variable fenc in readfile() become "", and then the variable fenc_alloced in readfile() is TRUE. At fileio.c: 2319, because fenc_alloced is TRUE, vim_free(fenc) will be executed. However, fenc is "" so vim_free() free an invalid pointer and cause a crash.

To fix this bug, the program should assign fenc_alloced FALSE when fenc is "".

Update fileio.c
Fix a bug
@brammool

This comment has been minimized.

Copy link
Contributor

commented Aug 12, 2019

@brammool brammool closed this in f077db2 Aug 12, 2019

janlazo added a commit to janlazo/neovim that referenced this pull request Aug 13, 2019

vim-patch:8.1.1843: might be freeing memory that was not allocated
Problem:    Might be freeing memory that was not allocated.
Solution:   Have next_fenc() set the fenc_alloced flag. (closes vim/vim#4804)
vim/vim@f077db2

blueyed added a commit to neovim/neovim that referenced this pull request Aug 13, 2019

vim-patch:8.1.1843: might be freeing memory that was not allocated (#…
…10756)

Problem:    Might be freeing memory that was not allocated.
Solution:   Have next_fenc() set the fenc_alloced flag. (closes vim/vim#4804)
vim/vim@f077db2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.