From 5ee0df48a8b2f86fc091a334b5be721da11a5a8b Mon Sep 17 00:00:00 2001 From: Karsten Hopp Date: Mar 10 2009 09:57:58 +0000 Subject: - patchlevel 132, fixes accesses to freed memory --- diff --git a/7.2.132 b/7.2.132 new file mode 100644 index 0000000..69e19ee --- /dev/null +++ b/7.2.132 @@ -0,0 +1,268 @@ +To: vim-dev@vim.org +Subject: Patch 7.2.132 +Fcc: outbox +From: Bram Moolenaar +Mime-Version: 1.0 +Content-Type: text/plain; charset=ISO-8859-1 +Content-Transfer-Encoding: 8bit +------------ + +Patch 7.2.132 +Problem: When changing directory during a SwapExists autocmd freed memory + may be accessed. (Dominique Pelle) +Solution: Add the allbuf_lock flag. +Files: src/ex_getln.c, src/globals.h, src/fileio.c, + src/proto/ex_getln.pro + + +*** ../vim-7.2.131/src/ex_getln.c Mon Mar 2 02:11:09 2009 +--- src/ex_getln.c Mon Mar 2 00:53:39 2009 +*************** +*** 2000,2007 **** + + #if defined(FEAT_AUTOCMD) || defined(PROTO) + /* +! * Check if "curbuf_lock" is set and return TRUE when it is and give an error +! * message. + */ + int + curbuf_locked() +--- 2000,2007 ---- + + #if defined(FEAT_AUTOCMD) || defined(PROTO) + /* +! * Check if "curbuf_lock" or "allbuf_lock" is set and return TRUE when it is +! * and give an error message. + */ + int + curbuf_locked() +*************** +*** 2011,2016 **** +--- 2011,2031 ---- + EMSG(_("E788: Not allowed to edit another buffer now")); + return TRUE; + } ++ return allbuf_locked(); ++ } ++ ++ /* ++ * Check if "allbuf_lock" is set and return TRUE when it is and give an error ++ * message. ++ */ ++ int ++ allbuf_locked() ++ { ++ if (allbuf_lock > 0) ++ { ++ EMSG(_("E811: Not allowed to change buffer information now")); ++ return TRUE; ++ } + return FALSE; + } + #endif +*** ../vim-7.2.131/src/globals.h Mon Mar 2 02:44:54 2009 +--- src/globals.h Mon Mar 2 02:40:16 2009 +*************** +*** 619,624 **** +--- 619,629 ---- + EXTERN int curbuf_lock INIT(= 0); + /* non-zero when the current buffer can't be + * changed. Used for FileChangedRO. */ ++ EXTERN int allbuf_lock INIT(= 0); ++ /* non-zero when no buffer name can be ++ * changed, no buffer can be deleted and ++ * current directory can't be changed. ++ * Used for SwapExists et al. */ + #endif + #ifdef FEAT_EVAL + # define HAVE_SANDBOX +*** ../vim-7.2.131/src/fileio.c Wed Dec 31 16:20:54 2008 +--- src/fileio.c Sun Mar 1 23:37:10 2009 +*************** +*** 69,75 **** + static int au_find_group __ARGS((char_u *name)); + + # define AUGROUP_DEFAULT -1 /* default autocmd group */ +! # define AUGROUP_ERROR -2 /* errornouse autocmd group */ + # define AUGROUP_ALL -3 /* all autocmd groups */ + #endif + +--- 69,75 ---- + static int au_find_group __ARGS((char_u *name)); + + # define AUGROUP_DEFAULT -1 /* default autocmd group */ +! # define AUGROUP_ERROR -2 /* erroneous autocmd group */ + # define AUGROUP_ALL -3 /* all autocmd groups */ + #endif + +*************** +*** 144,150 **** + # endif + #endif + static int move_lines __ARGS((buf_T *frombuf, buf_T *tobuf)); +! + + void + filemess(buf, name, s, attr) +--- 144,152 ---- + # endif + #endif + static int move_lines __ARGS((buf_T *frombuf, buf_T *tobuf)); +! #ifdef FEAT_AUTOCMD +! static char *e_auchangedbuf = N_("E812: Autocommands changed buffer or buffer name"); +! #endif + + void + filemess(buf, name, s, attr) +*************** +*** 295,300 **** +--- 297,315 ---- + int conv_restlen = 0; /* nr of bytes in conv_rest[] */ + #endif + ++ #ifdef FEAT_AUTOCMD ++ /* Remember the initial values of curbuf, curbuf->b_ffname and ++ * curbuf->b_fname to detect whether they are altered as a result of ++ * executing nasty autocommands. Also check if "fname" and "sfname" ++ * point to one of these values. */ ++ buf_T *old_curbuf = curbuf; ++ char_u *old_b_ffname = curbuf->b_ffname; ++ char_u *old_b_fname = curbuf->b_fname; ++ int using_b_ffname = (fname == curbuf->b_ffname) ++ || (sfname == curbuf->b_ffname); ++ int using_b_fname = (fname == curbuf->b_fname) ++ || (sfname == curbuf->b_fname); ++ #endif + write_no_eol_lnum = 0; /* in case it was set by the previous read */ + + /* +*************** +*** 589,595 **** +--- 604,624 ---- + #ifdef FEAT_QUICKFIX + if (!bt_dontwrite(curbuf)) + #endif ++ { + check_need_swap(newfile); ++ #ifdef FEAT_AUTOCMD ++ /* SwapExists autocommand may mess things up */ ++ if (curbuf != old_curbuf ++ || (using_b_ffname ++ && (old_b_ffname != curbuf->b_ffname)) ++ || (using_b_fname ++ && (old_b_fname != curbuf->b_fname))) ++ { ++ EMSG(_(e_auchangedbuf)); ++ return FAIL; ++ } ++ #endif ++ } + if (dir_of_file_exists(fname)) + filemess(curbuf, sfname, (char_u *)_("[New File]"), 0); + else +*************** +*** 668,673 **** +--- 697,713 ---- + #endif + { + check_need_swap(newfile); ++ #ifdef FEAT_AUTOCMD ++ if (!read_stdin && (curbuf != old_curbuf ++ || (using_b_ffname && (old_b_ffname != curbuf->b_ffname)) ++ || (using_b_fname && (old_b_fname != curbuf->b_fname)))) ++ { ++ EMSG(_(e_auchangedbuf)); ++ if (!read_buffer) ++ close(fd); ++ return FAIL; ++ } ++ #endif + #ifdef UNIX + /* Set swap file protection bits after creating it. */ + if (swap_mode > 0 && curbuf->b_ml.ml_mfp->mf_fname != NULL) +*************** +*** 698,704 **** + { + int m = msg_scroll; + int n = msg_scrolled; +- buf_T *old_curbuf = curbuf; + + /* + * The file must be closed again, the autocommands may want to change +--- 738,743 ---- +*************** +*** 740,747 **** +--- 779,791 ---- + /* + * Don't allow the autocommands to change the current buffer. + * Try to re-open the file. ++ * ++ * Don't allow the autocommands to change the buffer name either ++ * (cd for example) if it invalidates fname or sfname. + */ + if (!read_stdin && (curbuf != old_curbuf ++ || (using_b_ffname && (old_b_ffname != curbuf->b_ffname)) ++ || (using_b_fname && (old_b_fname != curbuf->b_fname)) + || (fd = mch_open((char *)fname, O_RDONLY | O_EXTRA, 0)) < 0)) + { + --no_wait_return; +*************** +*** 6320,6326 **** + + if (!stuff_empty() || global_busy || !typebuf_typed() + #ifdef FEAT_AUTOCMD +! || autocmd_busy || curbuf_lock > 0 + #endif + ) + need_check_timestamps = TRUE; /* check later */ +--- 6364,6370 ---- + + if (!stuff_empty() || global_busy || !typebuf_typed() + #ifdef FEAT_AUTOCMD +! || autocmd_busy || curbuf_lock > 0 || allbuf_lock > 0 + #endif + ) + need_check_timestamps = TRUE; /* check later */ +*************** +*** 6522,6529 **** +--- 6566,6575 ---- + set_vim_var_string(VV_FCS_REASON, (char_u *)reason, -1); + set_vim_var_string(VV_FCS_CHOICE, (char_u *)"", -1); + # endif ++ ++allbuf_lock; + n = apply_autocmds(EVENT_FILECHANGEDSHELL, + buf->b_fname, buf->b_fname, FALSE, buf); ++ --allbuf_lock; + busy = FALSE; + if (n) + { +*** ../vim-7.2.131/src/proto/ex_getln.pro Fri Nov 28 10:59:57 2008 +--- src/proto/ex_getln.pro Sun Mar 1 00:27:12 2009 +*************** +*** 4,9 **** +--- 4,10 ---- + int text_locked __ARGS((void)); + void text_locked_msg __ARGS((void)); + int curbuf_locked __ARGS((void)); ++ int allbuf_locked __ARGS((void)); + char_u *getexline __ARGS((int c, void *dummy, int indent)); + char_u *getexmodeline __ARGS((int promptc, void *dummy, int indent)); + int cmdline_overstrike __ARGS((void)); +*** ../vim-7.2.131/src/version.c Wed Mar 4 04:11:56 2009 +--- src/version.c Thu Mar 5 03:08:54 2009 +*************** +*** 678,679 **** +--- 678,681 ---- + { /* Add new patch number below this line */ ++ /**/ ++ 132, + /**/ + +-- +hundred-and-one symptoms of being an internet addict: +168. You have your own domain name. + + /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ +/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\ +\\\ download, build and distribute -- http://www.A-A-P.org /// + \\\ help me help AIDS victims -- http://ICCF-Holland.org /// diff --git a/README.patches b/README.patches index 10d7953..a21cee5 100644 --- a/README.patches +++ b/README.patches @@ -160,3 +160,4 @@ Individual patches for Vim 7.2: 2229 7.2.129 opening command window from input() uses the search history 12852 7.2.130 Vim may haing until CTRL-C is typed when using CTRL-Z 2612 7.2.131 using wrong cursor highlighting after clearing 'keymap' + 7823 7.2.132 may access freed memory when changing dir in SwapExists autocmd diff --git a/vim.spec b/vim.spec index 55f02ef..18a4e2e 100644 --- a/vim.spec +++ b/vim.spec @@ -18,7 +18,7 @@ #used for pre-releases: %define beta %{nil} %define vimdir vim72%{?beta} -%define patchlevel 131 +%define patchlevel 132 Summary: The VIM editor URL: http://www.vim.org/ @@ -197,6 +197,7 @@ Patch128: ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.128 Patch129: ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.129 Patch130: ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.130 Patch131: ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.131 +Patch132: ftp://ftp.vim.org/pub/vim/patches/7.2/7.2.132 Patch3000: vim-7.0-syntax.patch Patch3002: vim-7.1-nowarnings.patch @@ -461,6 +462,7 @@ perl -pi -e "s,bin/nawk,bin/awk,g" runtime/tools/mve.awk %patch129 -p0 %patch130 -p0 %patch131 -p0 +%patch132 -p0 # install spell files %if %{withvimspell} @@ -919,6 +921,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/icons/hicolor/*/apps/* %changelog +* Tue Mar 10 2009 Karsten Hopp 7.2.132-1 +- patchlevel 132, fixes accesses to freed memory + * Wed Mar 04 2009 Karsten Hopp 7.2.131-1 - patchlevel 131