Patch #2856 2009-12-08 16:44
techy
parserthread accesses memory behind the end of the string- Download
- 2856-parserthread_a.patch (1.8 KB)
Index: src/plugins/codecompletion/parser/parserthread.cpp
===================================================================
--- src/plugins/codecompletion/parser/parserthread.cpp (revision 5964)
+++ src/plugins/codecompletion/parser/parserthread.cpp (working copy)
@@ -895,9 +895,9 @@
str += *ptr;
//find end
int n = 0;
+ ptr++;
while(*ptr != _T('\0'))
{
- ptr++;
if (*ptr == _T('('))
n++;
else if (*ptr == _T(')'))
@@ -912,6 +912,7 @@
skip = false;
break;
}
+ ptr++;
}
}
}
@@ -925,7 +926,7 @@
{
if (*ptr != _T(' '))
str += *ptr;
- *ptr++;
+ ptr++;
}
skip = true;
sym = true;
@@ -935,7 +936,7 @@
{
if (*ptr != _T(' '))
str += *ptr;
- *ptr++;
+ ptr++;
}
skip = true;
sym = true;
@@ -950,19 +951,23 @@
default:
sym = false;
}
+
if (!skip || sym)
{
- str += *ptr;
+ if (*ptr != _T('\0'))
+ str += *ptr;
if (wxIsalnum(*ptr))
word += *ptr;
}
- if (sym == true && skip == false)
+ if (sym && !skip)
{
while (*ptr != _T('\0') && *(ptr+1) == _T(' '))
ptr++;
}
- ptr++;
+
+ if (*ptr != _T('\0'))
+ ptr++;
}
return str;
History
techy 2009-12-08 16:51
In GetRealArgs() there are several places where the parser can skip the final '\0' and continue reading behind it. This lead to segfault on my machine at least once. I've fixed this (plus made some cosmetic changes where I could not resist).
This patch fixes _only_ the memory problems - after looking at the code briefly, I'm not quite convinced that it does the right thing, but I may be wrong. There is another crasher on my system when I click something in the symbols browser, which could also be related. If I have time, I'll look into this but as I don't use symbols browser normally, this is low priority for me.