Mercurial > vim
comparison src/spell.c @ 9898:bff8a09016a5 v7.4.2223
commit https://github.com/vim/vim/commit/d3c907b5d2b352482b580a0cf687cbbea4c19ea1
Author: Bram Moolenaar <Bram@vim.org>
Date: Wed Aug 17 21:32:09 2016 +0200
patch 7.4.2223
Problem: Buffer overflow when using latin1 character with feedkeys().
Solution: Check for an illegal character. Add a test.
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Wed, 17 Aug 2016 21:45:07 +0200 |
parents | fd9727ae3c49 |
children | 9560a2eb7968 |
comparison
equal
deleted
inserted
replaced
9897:9d1354639a36 | 9898:bff8a09016a5 |
---|---|
5377 } | 5377 } |
5378 | 5378 |
5379 #ifdef FEAT_MBYTE | 5379 #ifdef FEAT_MBYTE |
5380 if (has_mbyte) | 5380 if (has_mbyte) |
5381 { | 5381 { |
5382 n = mb_cptr2len(p); | 5382 n = MB_CPTR2LEN(p); |
5383 c = mb_ptr2char(p); | 5383 c = mb_ptr2char(p); |
5384 if (p[n] == NUL) | 5384 if (p[n] == NUL) |
5385 c2 = NUL; | 5385 c2 = NUL; |
5386 else if (!soundfold && !spell_iswordp(p + n, curwin)) | 5386 else if (!soundfold && !spell_iswordp(p + n, curwin)) |
5387 c2 = c; /* don't swap non-word char */ | 5387 c2 = c; /* don't swap non-word char */ |
5475 * "fword" here, it's changed back afterwards at STATE_UNSWAP3. */ | 5475 * "fword" here, it's changed back afterwards at STATE_UNSWAP3. */ |
5476 p = fword + sp->ts_fidx; | 5476 p = fword + sp->ts_fidx; |
5477 #ifdef FEAT_MBYTE | 5477 #ifdef FEAT_MBYTE |
5478 if (has_mbyte) | 5478 if (has_mbyte) |
5479 { | 5479 { |
5480 n = mb_cptr2len(p); | 5480 n = MB_CPTR2LEN(p); |
5481 c = mb_ptr2char(p); | 5481 c = mb_ptr2char(p); |
5482 fl = mb_cptr2len(p + n); | 5482 fl = MB_CPTR2LEN(p + n); |
5483 c2 = mb_ptr2char(p + n); | 5483 c2 = mb_ptr2char(p + n); |
5484 if (!soundfold && !spell_iswordp(p + n + fl, curwin)) | 5484 if (!soundfold && !spell_iswordp(p + n + fl, curwin)) |
5485 c3 = c; /* don't swap non-word char */ | 5485 c3 = c; /* don't swap non-word char */ |
5486 else | 5486 else |
5487 c3 = mb_ptr2char(p + n + fl); | 5487 c3 = mb_ptr2char(p + n + fl); |
5594 ++depth; | 5594 ++depth; |
5595 p = fword + sp->ts_fidx; | 5595 p = fword + sp->ts_fidx; |
5596 #ifdef FEAT_MBYTE | 5596 #ifdef FEAT_MBYTE |
5597 if (has_mbyte) | 5597 if (has_mbyte) |
5598 { | 5598 { |
5599 n = mb_cptr2len(p); | 5599 n = MB_CPTR2LEN(p); |
5600 c = mb_ptr2char(p); | 5600 c = mb_ptr2char(p); |
5601 fl = mb_cptr2len(p + n); | 5601 fl = MB_CPTR2LEN(p + n); |
5602 fl += mb_cptr2len(p + n + fl); | 5602 fl += MB_CPTR2LEN(p + n + fl); |
5603 mch_memmove(p, p + n, fl); | 5603 mch_memmove(p, p + n, fl); |
5604 mb_char2bytes(c, p + fl); | 5604 mb_char2bytes(c, p + fl); |
5605 stack[depth].ts_fidxtry = sp->ts_fidx + n + fl; | 5605 stack[depth].ts_fidxtry = sp->ts_fidx + n + fl; |
5606 } | 5606 } |
5607 else | 5607 else |
5659 ++depth; | 5659 ++depth; |
5660 p = fword + sp->ts_fidx; | 5660 p = fword + sp->ts_fidx; |
5661 #ifdef FEAT_MBYTE | 5661 #ifdef FEAT_MBYTE |
5662 if (has_mbyte) | 5662 if (has_mbyte) |
5663 { | 5663 { |
5664 n = mb_cptr2len(p); | 5664 n = MB_CPTR2LEN(p); |
5665 n += mb_cptr2len(p + n); | 5665 n += MB_CPTR2LEN(p + n); |
5666 c = mb_ptr2char(p + n); | 5666 c = mb_ptr2char(p + n); |
5667 tl = mb_cptr2len(p + n); | 5667 tl = MB_CPTR2LEN(p + n); |
5668 mch_memmove(p + tl, p, n); | 5668 mch_memmove(p + tl, p, n); |
5669 mb_char2bytes(c, p); | 5669 mb_char2bytes(c, p); |
5670 stack[depth].ts_fidxtry = sp->ts_fidx + n + tl; | 5670 stack[depth].ts_fidxtry = sp->ts_fidx + n + tl; |
5671 } | 5671 } |
5672 else | 5672 else |
5953 * round[depth] == 2: Try using the upper-case character. | 5953 * round[depth] == 2: Try using the upper-case character. |
5954 */ | 5954 */ |
5955 #ifdef FEAT_MBYTE | 5955 #ifdef FEAT_MBYTE |
5956 if (has_mbyte) | 5956 if (has_mbyte) |
5957 { | 5957 { |
5958 flen = mb_cptr2len(fword + fwordidx[depth]); | 5958 flen = MB_CPTR2LEN(fword + fwordidx[depth]); |
5959 ulen = mb_cptr2len(uword + uwordidx[depth]); | 5959 ulen = MB_CPTR2LEN(uword + uwordidx[depth]); |
5960 } | 5960 } |
5961 else | 5961 else |
5962 #endif | 5962 #endif |
5963 ulen = flen = 1; | 5963 ulen = flen = 1; |
5964 if (round[depth] == 1) | 5964 if (round[depth] == 1) |