To: vim-dev@vim.org

Subject: Patch 7.2.406

Fcc: outbox

From: Bram Moolenaar <Bram@moolenaar.net>

Mime-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

------------

Patch 7.2.406

Problem:    Patch 7.2.119 introduces uninit mem read. (Dominique Pelle)

Solution:   Only used ScreeenLinesC when ScreeenLinesUC is not zero. (Yukihiro

	    Nakadaira)  Also clear ScreeenLinesC when allocating.

Files:	    src/screen.c

*** ../vim-7.2.405/src/screen.c	2010-03-23 13:56:53.000000000 +0100

--- src/screen.c	2010-03-23 15:26:44.000000000 +0100

***************

*** 25,34 ****

   * one character which occupies two display cells.

   * For UTF-8 a multi-byte character is converted to Unicode and stored in

   * ScreenLinesUC[].  ScreenLines[] contains the first byte only.  For an ASCII

!  * character without composing chars ScreenLinesUC[] will be 0.  When the

!  * character occupies two display cells the next byte in ScreenLines[] is 0.

   * ScreenLinesC[][] contain up to 'maxcombine' composing characters

!  * (drawn on top of the first character).  They are 0 when not used.

   * ScreenLines2[] is only used for euc-jp to store the second byte if the

   * first byte is 0x8e (single-width character).

   *

--- 25,35 ----

   * one character which occupies two display cells.

   * For UTF-8 a multi-byte character is converted to Unicode and stored in

   * ScreenLinesUC[].  ScreenLines[] contains the first byte only.  For an ASCII

!  * character without composing chars ScreenLinesUC[] will be 0 and

!  * ScreenLinesC[][] is not used.  When the character occupies two display

!  * cells the next byte in ScreenLines[] is 0.

   * ScreenLinesC[][] contain up to 'maxcombine' composing characters

!  * (drawn on top of the first character).  There is 0 after the last one used.

   * ScreenLines2[] is only used for euc-jp to store the second byte if the

   * first byte is 0x8e (single-width character).

   *

***************

*** 4893,4898 ****

--- 4894,4900 ----

  /*

   * Return if the composing characters at "off_from" and "off_to" differ.

+  * Only to be used when ScreenLinesUC[off_from] != 0.

   */

      static int

  comp_char_differs(off_from, off_to)

***************

*** 6281,6286 ****

--- 6283,6289 ----

  /*

   * Return TRUE if composing characters for screen posn "off" differs from

   * composing characters in "u8cc".

+  * Only to be used when ScreenLinesUC[off] != 0.

   */

      static int

  screen_comp_differs(off, u8cc)

***************

*** 6461,6468 ****

  		    && c == 0x8e

  		    && ScreenLines2[off] != ptr[1])

  		|| (enc_utf8

! 		    && (ScreenLinesUC[off] != (u8char_T)(c >= 0x80 ? u8c : 0)

! 			|| screen_comp_differs(off, u8cc)))

  #endif

  		|| ScreenAttrs[off] != attr

  		|| exmode_active;

--- 6464,6473 ----

  		    && c == 0x8e

  		    && ScreenLines2[off] != ptr[1])

  		|| (enc_utf8

! 		    && (ScreenLinesUC[off] !=

! 				(u8char_T)(c < 0x80 && u8cc[0] == 0 ? 0 : u8c)

! 			|| (ScreenLinesUC[off] != 0

! 					  && screen_comp_differs(off, u8cc))))

  #endif

  		|| ScreenAttrs[off] != attr

  		|| exmode_active;

***************

*** 7542,7548 ****

  	new_ScreenLinesUC = (u8char_T *)lalloc((long_u)(

  			     (Rows + 1) * Columns * sizeof(u8char_T)), FALSE);

  	for (i = 0; i < p_mco; ++i)

! 	    new_ScreenLinesC[i] = (u8char_T *)lalloc((long_u)(

  			     (Rows + 1) * Columns * sizeof(u8char_T)), FALSE);

      }

      if (enc_dbcs == DBCS_JPNU)

--- 7547,7553 ----

  	new_ScreenLinesUC = (u8char_T *)lalloc((long_u)(

  			     (Rows + 1) * Columns * sizeof(u8char_T)), FALSE);

  	for (i = 0; i < p_mco; ++i)

! 	    new_ScreenLinesC[i] = (u8char_T *)lalloc_clear((long_u)(

  			     (Rows + 1) * Columns * sizeof(u8char_T)), FALSE);

      }

      if (enc_dbcs == DBCS_JPNU)

*** ../vim-7.2.405/src/version.c	2010-03-23 14:39:07.000000000 +0100

--- src/version.c	2010-03-23 15:34:11.000000000 +0100

***************

*** 683,684 ****

--- 683,686 ----

  {   /* Add new patch number below this line */

+ /**/

+     406,

  /**/

-- 

VOICE OVER: As the horrendous Black Beast lunged forward, escape for Arthur

            and his knights seemed hopeless,  when, suddenly ... the animator

            suffered a fatal heart attack.

ANIMATOR:   Aaaaagh!

VOICE OVER: The cartoon peril was no more ... The Quest for Holy Grail could

            continue.

                 "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD

 /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net   \\\

///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\

\\\        download, build and distribute -- http://www.A-A-P.org        ///

 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///