Mercurial > vim
comparison src/evalfunc.c @ 9898:bff8a09016a5 v7.4.2223
commit https://github.com/vim/vim/commit/d3c907b5d2b352482b580a0cf687cbbea4c19ea1
Author: Bram Moolenaar <Bram@vim.org>
Date: Wed Aug 17 21:32:09 2016 +0200
patch 7.4.2223
Problem: Buffer overflow when using latin1 character with feedkeys().
Solution: Check for an illegal character. Add a test.
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Wed, 17 Aug 2016 21:45:07 +0200 |
parents | 4b53f6be10c0 |
children | daecffbd0322 |
comparison
equal
deleted
inserted
replaced
9897:9d1354639a36 | 9898:bff8a09016a5 |
---|---|
11164 { | 11164 { |
11165 rettv->vval.v_number = mb_ptr2char(str + byteidx); | 11165 rettv->vval.v_number = mb_ptr2char(str + byteidx); |
11166 break; | 11166 break; |
11167 } | 11167 } |
11168 --charidx; | 11168 --charidx; |
11169 byteidx += mb_cptr2len(str + byteidx); | 11169 byteidx += MB_CPTR2LEN(str + byteidx); |
11170 } | 11170 } |
11171 } | 11171 } |
11172 #else | 11172 #else |
11173 if (charidx < len) | 11173 if (charidx < len) |
11174 rettv->vval.v_number = str[charidx]; | 11174 rettv->vval.v_number = str[charidx]; |
11324 if (!error) | 11324 if (!error) |
11325 { | 11325 { |
11326 if (nchar > 0) | 11326 if (nchar > 0) |
11327 while (nchar > 0 && nbyte < slen) | 11327 while (nchar > 0 && nbyte < slen) |
11328 { | 11328 { |
11329 nbyte += mb_cptr2len(p + nbyte); | 11329 nbyte += MB_CPTR2LEN(p + nbyte); |
11330 --nchar; | 11330 --nchar; |
11331 } | 11331 } |
11332 else | 11332 else |
11333 nbyte = nchar; | 11333 nbyte = nchar; |
11334 if (argvars[2].v_type != VAR_UNKNOWN) | 11334 if (argvars[2].v_type != VAR_UNKNOWN) |
11339 int off = nbyte + len; | 11339 int off = nbyte + len; |
11340 | 11340 |
11341 if (off < 0) | 11341 if (off < 0) |
11342 len += 1; | 11342 len += 1; |
11343 else | 11343 else |
11344 len += mb_cptr2len(p + off); | 11344 len += MB_CPTR2LEN(p + off); |
11345 --charlen; | 11345 --charlen; |
11346 } | 11346 } |
11347 } | 11347 } |
11348 else | 11348 else |
11349 len = slen - nbyte; /* default: all bytes that are available. */ | 11349 len = slen - nbyte; /* default: all bytes that are available. */ |