patch 9.0.1477: crash when recovering from corrupted swap file
Problem: Crash when recovering from corrupted swap file.
Solution: Check for a valid page count. (closes #12275)
diff --git a/src/errors.h b/src/errors.h
index f54adc7..8241dbf 100644
--- a/src/errors.h
+++ b/src/errors.h
@@ -3459,3 +3459,5 @@
EXTERN char e_incomplete_type[]
INIT(= N_("E1363: Incomplete type"));
#endif
+EXTERN char e_warning_pointer_block_corrupted[]
+ INIT(= N_("E1364: Warning: Pointer block corrupted"));
diff --git a/src/memfile.c b/src/memfile.c
index e8cbe31..2689031 100644
--- a/src/memfile.c
+++ b/src/memfile.c
@@ -431,7 +431,9 @@
* If not, allocate a new block.
*/
hp = mf_release(mfp, page_count);
- if (hp == NULL && (hp = mf_alloc_bhdr(mfp, page_count)) == NULL)
+ if (hp == NULL && page_count > 0)
+ hp = mf_alloc_bhdr(mfp, page_count);
+ if (hp == NULL)
return NULL;
hp->bh_bnum = nr;
@@ -812,9 +814,10 @@
*/
if (hp->bh_page_count != page_count)
{
- vim_free(hp->bh_data);
- if ((hp->bh_data = alloc((size_t)mfp->mf_page_size * page_count))
- == NULL)
+ VIM_CLEAR(hp->bh_data);
+ if (page_count > 0)
+ hp->bh_data = alloc((size_t)mfp->mf_page_size * page_count);
+ if (hp->bh_data == NULL)
{
vim_free(hp);
return NULL;
@@ -872,7 +875,7 @@
}
/*
- * Allocate a block header and a block of memory for it
+ * Allocate a block header and a block of memory for it.
*/
static bhdr_T *
mf_alloc_bhdr(memfile_T *mfp, int page_count)
@@ -882,8 +885,7 @@
if ((hp = ALLOC_ONE(bhdr_T)) == NULL)
return NULL;
- if ((hp->bh_data = alloc((size_t)mfp->mf_page_size * page_count))
- == NULL)
+ if ((hp->bh_data = alloc((size_t)mfp->mf_page_size * page_count)) == NULL)
{
vim_free(hp); // not enough memory
return NULL;
@@ -893,7 +895,7 @@
}
/*
- * Free a block header and the block of memory for it
+ * Free a block header and the block of memory for it.
*/
static void
mf_free_bhdr(bhdr_T *hp)
@@ -903,7 +905,7 @@
}
/*
- * insert entry *hp in the free list
+ * Insert entry *hp in the free list.
*/
static void
mf_ins_free(memfile_T *mfp, bhdr_T *hp)
diff --git a/src/memline.c b/src/memline.c
index 7acea13..ea08d32 100644
--- a/src/memline.c
+++ b/src/memline.c
@@ -98,6 +98,9 @@
// followed by empty space until end of page
};
+// Value for pb_count_max.
+#define PB_COUNT_MAX(mfp) (short_u)(((mfp)->mf_page_size - offsetof(PTR_BL, pb_pointer)) / sizeof(PTR_EN))
+
/*
* A data block is a leaf in the tree.
*
@@ -1525,6 +1528,20 @@
pp = (PTR_BL *)(hp->bh_data);
if (pp->pb_id == PTR_ID) // it is a pointer block
{
+ int ptr_block_error = FALSE;
+ if (pp->pb_count_max != PB_COUNT_MAX(mfp))
+ {
+ ptr_block_error = TRUE;
+ pp->pb_count_max = PB_COUNT_MAX(mfp);
+ }
+ if (pp->pb_count > pp->pb_count_max)
+ {
+ ptr_block_error = TRUE;
+ pp->pb_count = pp->pb_count_max;
+ }
+ if (ptr_block_error)
+ emsg(_(e_warning_pointer_block_corrupted));
+
// check line count when using pointer block first time
if (idx == 0 && line_count != 0)
{
@@ -4162,9 +4179,7 @@
pp = (PTR_BL *)(hp->bh_data);
pp->pb_id = PTR_ID;
pp->pb_count = 0;
- pp->pb_count_max =
- (short_u)((mfp->mf_page_size - offsetof(PTR_BL, pb_pointer))
- / sizeof(PTR_EN));
+ pp->pb_count_max = PB_COUNT_MAX(mfp);
return hp;
}
diff --git a/src/testdir/test_recover.vim b/src/testdir/test_recover.vim
index 395eb06..13437cd 100644
--- a/src/testdir/test_recover.vim
+++ b/src/testdir/test_recover.vim
@@ -249,6 +249,14 @@
call assert_equal(['???EMPTY BLOCK'], getline(1, '$'))
bw!
+ " set the number of pointers in a pointer block to a large value
+ let b = copy(save_b)
+ let b[4098:4099] = 0zFFFF
+ call writefile(b, sn)
+ call assert_fails('recover Xfile1', 'E1364:')
+ call assert_equal('Xfile1', @%)
+ bw!
+
" set the block number in a pointer entry to a negative number
let b = copy(save_b)
if system_64bit
diff --git a/src/version.c b/src/version.c
index 1ffff63..c94a503 100644
--- a/src/version.c
+++ b/src/version.c
@@ -696,6 +696,8 @@
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 1477,
+/**/
1476,
/**/
1475,