Bug#606957: vim: Vim segfaults while sending clipboard content to another application

Package: vim
Version: 2:7.2.445+hg~cb94c42c0e1a-1
Severity: normal


Test case:
- 9MB text file
- Iceweasel 3.5.16 with an open tab containing:
<html>
<body>
<textarea rows="24" cols="80"></textarea>
</body>
</html>

in .vimrc:
vmap <C-c> "+y

1) Select contents of the 9MB file.
2) Hit ^C
3) Focus on the textarea in Iceweasel
4) Hit ^V
5) Wait for Vim's SEGV

Backtrace:
#0 0xb72f8b81 in free () from /lib/i686/cmov/libc.so.6
No symbol table info available.
#1 0xb79b6da1 in XtFree () from /usr/lib/libXt.so.6
No symbol table info available.
#2 0xb79dc5b3 in ?? () from /usr/lib/libXt.so.6
No symbol table info available.
#3 0xb79d25ea in ?? () from /usr/lib/libXt.so.6
No symbol table info available.
#4 0xb79d271d in XtAppNextEvent () from /usr/lib/libXt.so.6
No symbol table info available.
#5 0x0815cb63 in xterm_update () at os_unix.c:6584
event = {type = 135053019, xany = {type = 135053019, serial 3221221368, send_event = 0, display = 0x0, window = 37752380}, xkey {type = 135053019, serial = 3221221368, send_event = 0, display = 0x0,
window = 37752380, root = 433, subwindow = 4639012, time = 0, x 959459761, y = -1073745992, x_root = 0, y_root = -1073746068, state 3221221148, keycode = 0, same_screen = 0}, xbutton = {type = 135053019,
serial = 3221221368, send_event = 0, display = 0x0, window = 37752380,
root = 433, subwindow = 4639012, time = 0, x = 959459761, y -1073745992, x_root = 0, y_root = -1073746068, state = 3221221148,
button = 0, same_screen = 0}, xmotion = {type = 135053019, serial 3221221368, send_event = 0, display = 0x0, window = 37752380, root 433, subwindow = 4639012, time = 0, x = 959459761, y = -1073745992,
x_root = 0, y_root = -1073746068, state = 3221221148, is_hint = 0
'\000', same_screen = 0}, xcrossing = {type = 135053019, serial 3221221368, send_event = 0, display = 0x0, window = 37752380, root 433, subwindow = 4639012, time = 0, x = 959459761, y = -1073745992,
x_root = 0, y_root = -1073746068, mode = -1073746148, detail = 0,
same_screen = 0, focus = 0, state = 0}, xfocus = {type = 135053019,
serial = 3221221368, send_event = 0, display = 0x0, window = 37752380,
mode = 433, detail = 4639012}, xexpose = {type = 135053019, serial 3221221368, send_event = 0, display = 0x0, window = 37752380, x = 433,
y = 4639012, width = 0, height = 959459761, count = -1073745992},
xgraphicsexpose = {type = 135053019, serial = 3221221368, send_event 0, display = 0x0, drawable = 37752380, x = 433, y = 4639012, width = 0,
height = 959459761, count = -1073745992, major_code = 0, minor_code -1073746068}, xnoexpose = {type = 135053019, serial = 3221221368,
send_event = 0, display = 0x0, drawable = 37752380, major_code = 433,
minor_code = 4639012}, xvisibility = {type = 135053019, serial 3221221368, send_event = 0, display = 0x0, window = 37752380, state 433}, xcreatewindow = {type = 135053019, serial = 3221221368,
send_event = 0, display = 0x0, parent = 37752380, window = 433, x 4639012, y = 0, width = 959459761, height = -1073745992, border_width 0, override_redirect = -1073746068}, xdestroywindow = {type 135053019, serial = 3221221368, send_event = 0, display = 0x0, event 37752380, window = 433}, xunmap = {type = 135053019, serial 3221221368, send_event = 0, display = 0x0, event = 37752380, window 433, from_configure = 4639012}, xmap = { type = 135053019, serial 3221221368, send_event = 0, display = 0x0, event = 37752380, window 433, override_redirect = 4639012}, xmaprequest = {type = 135053019,
serial = 3221221368, send_event = 0, display = 0x0, parent = 37752380,
window = 433}, xreparent = {type = 135053019, serial = 3221221368,
send_event = 0, display = 0x0, event = 37752380, window = 433, parent 4639012, x = 0, y = 959459761, override_redirect = -1073745992},
xconfigure = {type = 135053019, serial = 3221221368, send_event = 0,
display = 0x0, event = 37752380, window = 433, x = 4639012, y = 0,
width = 959459761, height = -1073745992, border_width = 0, above 3221221228, override_redirect = -1073746148}, xgravity = {type 135053019, serial = 3221221368, send_event = 0, display = 0x0, event 37752380, window = 433, x = 4639012, y = 0}, xresizerequest = {type 135053019, serial = 3221221368, send_event = 0, display = 0x0, window 37752380, width = 433, height = 4639012}, xconfigurerequest = {type 135053019, serial = 3221221368, send_event = 0, display = 0x0, parent 37752380, window = 433, x = 4639012, y = 0, width = 959459761, height -1073745992, border_width = 0, above = 3221221228, detail -1073746148, value_mask = 0}, xcirculate = {type = 135053019, serial 3221221368, send_event = 0, display = 0x0, event = 37752380, window 433, place = 4639012}, xcirculaterequest = {type = 135053019, serial 3221221368, send_event = 0, display = 0x0, parent = 37752380, window 433, place = 4639012}, xproperty = {type = 135053019, serial 3221221368, send_event = 0, display = 0x0, window = 37752380, atom 433, time = 4639012, state = 0}, xselectionclear = {type = 135053019,
serial = 3221221368, send_event = 0, display = 0x0, window = 37752380,
selection = 433, time = 4639012}, xselectionrequest = {type 135053019, serial = 3221221368, send_event = 0, display = 0x0, owner 37752380, requestor = 433, selection = 4639012, target = 0, property 959459761, time = 3221221304}, xselection = { type = 135053019, serial
= 3221221368, send_event = 0, display = 0x0, requestor = 37752380,
selection = 433, target = 4639012, property = 0, time = 959459761},
xcolormap = {type = 135053019, serial = 3221221368, send_event = 0,
display = 0x0, window = 37752380, colormap = 433, new = 4639012, state
= 0}, xclient = { type = 135053019, serial = 3221221368, send_event 0, display = 0x0, window = 37752380, message_type = 433, format 4639012, data = {b "\000\000\000\000\261\061\060\071\270\357\377\277\000\000\000\000l\357\377\277",
s = {0, 0, 12721, 14640, -4168, -16385, 0, 0, -4244, -16385}, l = {0,
959459761, -1073745992, 0, -1073746068}}}, xmapping = {type 135053019, serial = 3221221368, send_event = 0, display = 0x0, window 37752380, request = 433, first_keycode = 4639012, count = 0}, xerror {type = 135053019, display = 0xbfffeff8, resourceid = 0, serial = 0,
error_code = 60 '<', request_code = 14 '\016', minor_code = 64 '@'},
xkeymap = {type = 135053019, serial = 3221221368, send_event = 0,
display = 0x0, window = 37752380, key_vector "\261\001\000\000$\311F\000\000\000\000\000\261\061\060\071\270\357\377\277\000\000\000\000l\357\377\277\034\357\377\277"},
xgeneric = {type = 135053019, serial = 3221221368, send_event = 0,
display = 0x0, extension = 37752380, evtype = 433}, xcookie = {type 135053019, serial = 3221221368, send_event = 0, display = 0x0,
extension = 37752380, evtype = 433, cookie = 4639012, data = 0x0}, pad
= {135053019, -1073745928, 0, 0, 37752380, 433, 4639012, 0, 959459761,
-1073745992, 0, -1073746068, -1073746148, 0, 0, 0, 0, 0, -1073745024,
0, -1073745864, 0, -1073746040, -1}}
#6 0x0815d26d in RealWaitForChar (fd=<value optimized out>, msec=<value
#optimized out>, check_for_gpm=<value optimized out>)
at os_unix.c:5050 finished = <value optimized out> tv = {tv_sec = 0,
tv_usec = 0} efds = {fds_bits = {0 <repeats 32 times>}} tvp = 0x0 rfds {fds_bits = {256, 0 <repeats 31 times>}} maxfd = <value optimized out> ret
= 1 busy = 0 start_tv = {tv_sec = 1292234234, tv_usec = 1849354752}
#7 0x0815fb14 in WaitForChar (msec=-1) at os_unix.c:4722
gpm_process_wanted = 0 rest = 0 avail = <value optimized out>
#8 0x081621c3 in mch_inchar (buf=0x8231004 "", maxlenv, wtime=-1,
#tb_change_cnt4) at os_unix.c:413
len = <value optimized out>
#9 0x081bf43f in ui_inchar (buf=0x8231004 "", maxlenv, wtime=-1,
#tb_change_cnt4) at ui.c:193
retval = <value optimized out>
#10 0x080f0c36 in inchar (buf=0x8231004 "", maxlen"8, wait_time=-1,
#tb_change_cnt4) at getchar.c:3004
len = 0 retesc = 0 script_char = -1
#11 0x080f2d47 in vgetorpeek (advance=<value optimized out>) at getchar.c:2780
c = <value optimized out> c1 = 0 keylen = <value optimized out> s <value optimized out> mp = <value optimized out> mp2 = 0x0 mp_match 0x0 mp_match_len = 0 timedout = 0 mapdepth = 0 mode_deleted = 0
local_State = 257 mlen = <value optimized out> max_mlen = -1073745240 i
= <value optimized out> new_wcol = 0 new_wrow = <value optimized out>
idx = <value optimized out> shape_changed = 0 n = <value optimized out>
nolmaplen = -1073745204 old_wcol = <value optimized out> old_wrow = 0
wait_tb_len = 0
#12 0x080f3a8e in vgetc () at getchar.c:1559
c = <value optimized out> c2 = 0 n = <value optimized out> buf "\000\260\207\231\267kX\231\267t\t!\b\000\000\000\000{\211\231\267" i <value optimized out>
#13 0x080f3f9b in safe_vgetc () at getchar.c:1764
c = <value optimized out>
#14 0x08144557 in normal_cmd (oap=0xbffff400, toplevel=1) at normal.c:652
ca = {oap = 0xbffff400, prechar = 0, cmdchar = 0, nchar = 0, ncharC1 0, ncharC2 = 0, extra_char = 0, opcount = 0, count0 = 0, count1 = 0,
arg = 0, retval = 0, searchbuf = 0x0} c = <value optimized out> ctrl_w
= <value optimized out> old_col = 0 need_flushbuf = <value optimized
out> mapped_len = 0 old_mapped_len = 0 idx = <value optimized out>
set_prevcount = 1
#15 0x08104107 in main_loop (cmdwin=0, noexmode=0) at main.c:1210
oa = {op_type = 0, regname = 0, motion_type = 1, motion_force = 0,
use_reg_one = 0, inclusive = 0, end_adjusted = 0, start = {lnum = 1,
col = 0, coladd = 0}, end = {lnum = 219338, col = 0, coladd = 0},
cursor_start = {lnum = 0, col = 0, coladd = 0}, line_count = 219338,
empty = 0, is_VIsual = 1, block_mode = 0, start_vcol = 0, end_vcol = 0,
prev_opcount = 0, prev_count0 = 0} previous_got_int = 0
#16 0x08107612 in main (argc=2, argv=0xbffff674) at main.c:954
fname = <value optimized out> params = {argc = 2, argv = 0xbffff674,
evim_mode = 0, use_vimrc = 0x0, n_commands = 0, commands = {0x0, 0x0,
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, cmds_tofree "\000\000\000\000\000\000\000\000\000", n_pre_commands = 0,
pre_commands = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
edit_type = 1, tagname = 0x0, use_ef = 0x0, want_full_screen = 1,
stdout_isatty = 1, term = 0x0, ask_for_key = 0, no_swap_file = 0,
use_debug_break_level = -1, window_count = 1, window_layout = 0,
serverArg = 0, serverName_arg = 0x0, serverStr = 0x0, serverStrEnc 0x0, servername = 0x825a9a0 "VIM", diff_mode = 0, vi_mode = 0} i <value optimized out>




Debian Release: squeeze/sid
APT prefers testing
APT policy: (600, 'testing'), (500, 'stable'), (50, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages vim depends on:
ii libacl1 2.2.49-4 Access control list shared library
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libgpm2 1.20.4-3.3 General Purpose Mouse - shared lib
ii libncurses5 5.7+20100313-4 shared libraries for terminal hand
ii libselinux1 2.0.96-1 SELinux runtime shared libraries
ii vim-common 2:7.2.445+hg~cb94c42c0e1a-1 Vi IMproved - Common files
ii vim-runtime 2:7.2.445+hg~cb94c42c0e1a-1 Vi IMproved - Runtime files

vim recommends no packages.

Versions of packages vim suggests:
ii exuberant-ctags [ctags] 1:5.8-3 build tag file indexes of source c
pn vim-doc <none> (no description available)
ii vim-scripts 20091011 plugins for vim, adding bells and




To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org