From 2ccf551817d108e48cc9201e168d66b9117bfcba Mon Sep 17 00:00:00 2001 From: xaizek Date: Sat, 8 Feb 2020 14:34:36 +0200 Subject: [PATCH 1/2] Fix crash on adding a line to a view Occurs on splitting a diff chunk. memmove() call is supposed to move `old_size - pos` elements that were already there before invocation of add_line_at() to make space for the new one. However, because `view->lines` is increased *before* the move, it tries to move one more element than it should and ends up writing outside of allocated chunk of memory. Fixes #523. --- src/view.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/view.c b/src/view.c index 51a5ebea7..0447bc017 100644 --- a/src/view.c +++ b/src/view.c @@ -1592,7 +1592,7 @@ add_line_at(struct view *view, unsigned long pos, const void *data, enum line_ty line = view->line + pos; lineno = line->lineno; - memmove(line + 1, line, (view->lines - pos) * sizeof(*view->line)); + memmove(line + 1, line, (view->lines - 1 - pos) * sizeof(*view->line)); while (pos < view->lines) { view->line[pos].lineno++; view->line[pos++].dirty = 1; From c6a7bdd606eed8df8b6e0a0e2d0f66f38758a3ad Mon Sep 17 00:00:00 2001 From: xaizek Date: Sat, 8 Feb 2020 14:58:30 +0200 Subject: [PATCH 2/2] Fix memory leak in diff unit While lines of `context->cell_text` were freed, the array of pointers to lines wasn't. --- src/diff.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/diff.c b/src/diff.c index 2dcc1842d..6f1f4456d 100644 --- a/src/diff.c +++ b/src/diff.c @@ -113,6 +113,7 @@ diff_common_add_line(struct view *view, const char *text, enum line_type type, s free(cell_text); argv_free(context->cell_text); + free(context->cell_text); if (!line) return NULL;