patch to fix access to uninitialized value in os_unix.c (with: set mouse=a)
Dominique Pelle
==6865== Conditional jump or move depends on uninitialised value(s)
==6865== at 0x814E0BA: do_xterm_trace (os_unix.c:6121)
==6865== by 0x814E038: start_xterm_trace (os_unix.c:6081)
==6865== by 0x81B25BA: check_termcode (term.c:4301)
==6865== by 0x80D4A58: vgetorpeek (getchar.c:2253)
==6865== by 0x80D3B9C: vgetc (getchar.c:1552)
==6865== by 0x80D4117: safe_vgetc (getchar.c:1757)
==6865== by 0x8121D96: normal_cmd (normal.c:625)
==6865== by 0x80E5A49: main_loop (main.c:1181)
==6865== by 0x80E5599: main (main.c:940)
Steps to reproduce:
1/ Run vim with the mouse option in a terminal:
$ valgrind vim -u NONE -c 'set mouse=a' 2> vg.log
2/ Left click with the mouse anywhere in the terminal to position cursor
3/ Observe the valgrind error at os_unix.c:6121 (do_xterm_trace)
Cursor is positioned properly where I click (no apparent wrong
behavior despite the error).
Code in os_unix.c:
6118 /* Get the hints just before tracking starts. The font size might
6119 * have changed recently */
6120 XGetWMNormalHints(xterm_dpy, x11_window, &xterm_hints, &got_hints);
6121 if (!(got_hints & PResizeInc)
6122 || xterm_hints.width_inc <= 1
6123 || xterm_hints.height_inc <= 1)
6124 {
6125 xterm_trace = -1; /* Not enough data -- disable tracing */
6126 return FALSE;
6127 }
When error happens, call to XGetWMNormalHints(...) at line 6120 fails
somehow [i.e. it returns a 0 (error), I don't know why]. When
XGetWMNormalHints(...) fails, it does not initialize output value
got_hints, hence access to uninitialized value later at line 6121.
Here is a snippet of the man page of XGetWMNormalHints(...):
-------------------------------------------
The XGetWMNormalHints function returns the size hints stored in the WM_NOR‐
MAL_HINTS property on the specified window. If the property is of type
WM_SIZE_HINTS, is of format 32, and is long enough to contain either an old
(pre-ICCCM) or new size hints structure, XGetWMNormalHints sets the various
fields of the XSizeHints structure, sets the supplied_return argument to the
list of fields that were supplied by the user (whether or not they contained
defined values), and returns a nonzero status. Otherwise, it returns a zero
status.
If XGetWMNormalHints returns successfully and a pre-ICCCM size hints property
is read, the supplied_return argument will contain the following bits:
-------------------------------------------
I attach a patch which fixes it by checking the return value of
XGetWMNormalHints(...). It would be interesting to know why
XGetWMNormalHints(...) failed in the first place though.
I am using vim-7.1 (Patches 1-220) built with 'configure --with-feature=huge',
without optimizations (-g -O0) on Linux in a gnome-terminal.
-- Dominique
Bram Moolenaar
Dominique Pelle wrote:
Looks like a good fix. I'll include it. Thanks!
- Bram
--
ARTHUR: What does it say?
BROTHER MAYNARD: It reads ... "Here may be found the last words of Joseph of
Aramathea." "He who is valorous and pure of heart may find
the Holy Grail in the aaaaarrrrrrggghhh..."
ARTHUR: What?
BROTHER MAYNARD: "The Aaaaarrrrrrggghhh..."
"Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD
/// Bram Moolenaar -- Br...@Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ download, build and distribute -- http://www.A-A-P.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///