Blob Blame History Raw
To: vim-dev@vim.org
Subject: Patch 7.2.406
Fcc: outbox
From: Bram Moolenaar <Bram@moolenaar.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
------------

Patch 7.2.406
Problem:    Patch 7.2.119 introduces uninit mem read. (Dominique Pelle)
Solution:   Only used ScreeenLinesC when ScreeenLinesUC is not zero. (Yukihiro
	    Nakadaira)  Also clear ScreeenLinesC when allocating.
Files:	    src/screen.c


*** ../vim-7.2.405/src/screen.c	2010-03-23 13:56:53.000000000 +0100
--- src/screen.c	2010-03-23 15:26:44.000000000 +0100
***************
*** 25,34 ****
   * one character which occupies two display cells.
   * For UTF-8 a multi-byte character is converted to Unicode and stored in
   * ScreenLinesUC[].  ScreenLines[] contains the first byte only.  For an ASCII
!  * character without composing chars ScreenLinesUC[] will be 0.  When the
!  * character occupies two display cells the next byte in ScreenLines[] is 0.
   * ScreenLinesC[][] contain up to 'maxcombine' composing characters
!  * (drawn on top of the first character).  They are 0 when not used.
   * ScreenLines2[] is only used for euc-jp to store the second byte if the
   * first byte is 0x8e (single-width character).
   *
--- 25,35 ----
   * one character which occupies two display cells.
   * For UTF-8 a multi-byte character is converted to Unicode and stored in
   * ScreenLinesUC[].  ScreenLines[] contains the first byte only.  For an ASCII
!  * character without composing chars ScreenLinesUC[] will be 0 and
!  * ScreenLinesC[][] is not used.  When the character occupies two display
!  * cells the next byte in ScreenLines[] is 0.
   * ScreenLinesC[][] contain up to 'maxcombine' composing characters
!  * (drawn on top of the first character).  There is 0 after the last one used.
   * ScreenLines2[] is only used for euc-jp to store the second byte if the
   * first byte is 0x8e (single-width character).
   *
***************
*** 4893,4898 ****
--- 4894,4900 ----
  
  /*
   * Return if the composing characters at "off_from" and "off_to" differ.
+  * Only to be used when ScreenLinesUC[off_from] != 0.
   */
      static int
  comp_char_differs(off_from, off_to)
***************
*** 6281,6286 ****
--- 6283,6289 ----
  /*
   * Return TRUE if composing characters for screen posn "off" differs from
   * composing characters in "u8cc".
+  * Only to be used when ScreenLinesUC[off] != 0.
   */
      static int
  screen_comp_differs(off, u8cc)
***************
*** 6461,6468 ****
  		    && c == 0x8e
  		    && ScreenLines2[off] != ptr[1])
  		|| (enc_utf8
! 		    && (ScreenLinesUC[off] != (u8char_T)(c >= 0x80 ? u8c : 0)
! 			|| screen_comp_differs(off, u8cc)))
  #endif
  		|| ScreenAttrs[off] != attr
  		|| exmode_active;
--- 6464,6473 ----
  		    && c == 0x8e
  		    && ScreenLines2[off] != ptr[1])
  		|| (enc_utf8
! 		    && (ScreenLinesUC[off] !=
! 				(u8char_T)(c < 0x80 && u8cc[0] == 0 ? 0 : u8c)
! 			|| (ScreenLinesUC[off] != 0
! 					  && screen_comp_differs(off, u8cc))))
  #endif
  		|| ScreenAttrs[off] != attr
  		|| exmode_active;
***************
*** 7542,7548 ****
  	new_ScreenLinesUC = (u8char_T *)lalloc((long_u)(
  			     (Rows + 1) * Columns * sizeof(u8char_T)), FALSE);
  	for (i = 0; i < p_mco; ++i)
! 	    new_ScreenLinesC[i] = (u8char_T *)lalloc((long_u)(
  			     (Rows + 1) * Columns * sizeof(u8char_T)), FALSE);
      }
      if (enc_dbcs == DBCS_JPNU)
--- 7547,7553 ----
  	new_ScreenLinesUC = (u8char_T *)lalloc((long_u)(
  			     (Rows + 1) * Columns * sizeof(u8char_T)), FALSE);
  	for (i = 0; i < p_mco; ++i)
! 	    new_ScreenLinesC[i] = (u8char_T *)lalloc_clear((long_u)(
  			     (Rows + 1) * Columns * sizeof(u8char_T)), FALSE);
      }
      if (enc_dbcs == DBCS_JPNU)
*** ../vim-7.2.405/src/version.c	2010-03-23 14:39:07.000000000 +0100
--- src/version.c	2010-03-23 15:34:11.000000000 +0100
***************
*** 683,684 ****
--- 683,686 ----
  {   /* Add new patch number below this line */
+ /**/
+     406,
  /**/

-- 
VOICE OVER: As the horrendous Black Beast lunged forward, escape for Arthur
            and his knights seemed hopeless,  when, suddenly ... the animator
            suffered a fatal heart attack.
ANIMATOR:   Aaaaagh!
VOICE OVER: The cartoon peril was no more ... The Quest for Holy Grail could
            continue.
                 "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD

 /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\        download, build and distribute -- http://www.A-A-P.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///