vim: src/regexp.c comparison

comparison src/regexp.c @ 29048:c98fc7a4dde4 v8.2.5046

patch 8.2.5046: vim_regsub() can overwrite the destination Commit: https://github.com/vim/vim/commit/4aaf3e7f4db599932d01d87e5bbcdc342cccee27 Author: Bram Moolenaar <Bram@vim.org> Date: Mon May 30 20:58:55 2022 +0100 patch 8.2.5046: vim_regsub() can overwrite the destination Problem: vim_regsub() can overwrite the destination. Solution: Pass the destination length, give an error when it doesn't fit.

author	Bram Moolenaar <Bram@vim.org>
date	Mon, 30 May 2022 22:00:03 +0200
parents	bfd8e25fa207
children	b90bca860b5a

comparison

equal deleted inserted replaced

-:fd46c946d9bf
+:c98fc7a4dde4
 * This is impossible, so we declare a pointer to a function returning a
 * void pointer. This should work for all compilers.
 */
 typedef void (*(*fptr_T)(int *, int));
-static int vim_regsub_both(char_u *source, typval_T *expr, char_u *dest, int copy, int magic, int backslash);
+static int vim_regsub_both(char_u *source, typval_T *expr, char_u *dest, int destlen, int flags);
 static fptr_T
 do_upper(int *d, int c)
 {
 *d = MB_TOUPPER(c);
 /*
 * vim_regsub() - perform substitutions after a vim_regexec() or
 * vim_regexec_multi() match.
 *
-* If "copy" is TRUE really copy into "dest".
+* If "flags" has REGSUB_COPY really copy into "dest[destlen]".
-* If "copy" is FALSE nothing is copied, this is just to find out the length
+* Oterwise nothing is copied, only compue the length of the result.
-* of the result.
 *
-* If "backslash" is TRUE, a backslash will be removed later, need to double
+* If "flags" has REGSUB_MAGIC then behave like 'magic' is set.
-* them to keep them, and insert a backslash before a CR to avoid it being
+*
-* replaced with a line break later.
+* If "flags" has REGSUB_BACKSLASH a backslash will be removed later, need to
+* double them to keep them, and insert a backslash before a CR to avoid it
+* being replaced with a line break later.
 *
 * Note: The matched text must not change between the call of
 * vim_regexec()/vim_regexec_multi() and vim_regsub()!  It would make the back
 * references invalid!
 *
 vim_regsub(
 regmatch_T	*rmp,
 char_u	*source,
 typval_T	*expr,
 char_u	*dest,
-int		copy,
+int		destlen,
-int		magic,
+int		flags)
-int		backslash)
 {
 int		result;
 regexec_T	rex_save;
 int		rex_in_use_save = rex_in_use;
 rex.reg_match = rmp;
 rex.reg_mmatch = NULL;
 rex.reg_maxline = 0;
 rex.reg_buf = curbuf;
 rex.reg_line_lbr = TRUE;
-result = vim_regsub_both(source, expr, dest, copy, magic, backslash);
+result = vim_regsub_both(source, expr, dest, destlen, flags);
 rex_in_use = rex_in_use_save;
 if (rex_in_use)
 	rex = rex_save;
 vim_regsub_multi(
 regmmatch_T	*rmp,
 linenr_T	lnum,
 char_u	*source,
 char_u	*dest,
-int		copy,
+int		destlen,
-int		magic,
+int		flags)
-int		backslash)
 {
 int		result;
 regexec_T	rex_save;
 int		rex_in_use_save = rex_in_use;
 rex.reg_mmatch = rmp;
 rex.reg_buf = curbuf;	// always works on the current buffer!
 rex.reg_firstlnum = lnum;
 rex.reg_maxline = curbuf->b_ml.ml_line_count - lnum;
 rex.reg_line_lbr = FALSE;
-result = vim_regsub_both(source, NULL, dest, copy, magic, backslash);
+result = vim_regsub_both(source, NULL, dest, destlen, flags);
 rex_in_use = rex_in_use_save;
 if (rex_in_use)
 	rex = rex_save;
 static int
 vim_regsub_both(
 char_u	*source,
 typval_T	*expr,
 char_u	*dest,
-int		copy,
+int		destlen,
-int		magic,
+int		flags)
-int		backslash)
 {
 char_u	*src;
 char_u	*dst;
 char_u	*s;
 int		c;
 linenr_T	clnum = 0;	// init for GCC
 int		len = 0;	// init for GCC
 #ifdef FEAT_EVAL
 static char_u   *eval_result = NULL;
 #endif
+int		copy = flags & REGSUB_COPY;
 // Be paranoid...
 if ((source == NULL && expr == NULL) || dest == NULL)
 {
 	emsg(_(e_null_argument));
 if (expr != NULL || (source[0] == '\\' && source[1] == '='))
 {
 #ifdef FEAT_EVAL
 	// To make sure that the length doesn't change between checking the
 	// length and copying the string, and to speed up things, the
-	// resulting string is saved from the call with "copy" == FALSE to the
+	// resulting string is saved from the call with "flags & REGSUB_COPY"
-	// call with "copy" == TRUE.
+	// == 0 to the // call with "flags & REGSUB_COPY" != 0.
 	if (copy)
 	{
 	    if (eval_result != NULL)
 	    {
 		STRCPY(dest, eval_result);
 			if (*s == NL && !rsm.sm_line_lbr)
 			    *s = CAR;
 			had_backslash = TRUE;
 		    }
 		}
-		if (had_backslash && backslash)
+		if (had_backslash && (flags & REGSUB_BACKSLASH))
 		{
 		    // Backslashes will be consumed, need to double them.
 		    s = vim_strsave_escaped(eval_result, (char_u *)"\\");
 		    if (s != NULL)
 		    {
 #endif
 }
 else
 while ((c = *src++) != NUL)
 {
-	if (c == '&' && magic)
+	if (c == '&' && (flags & REGSUB_MAGIC))
 	    no = 0;
 	else if (c == '\\' && *src != NUL)
 	{
-	    if (*src == '&' && !magic)
+	    if (*src == '&' && !(flags & REGSUB_MAGIC))
 	    {
 		++src;
 		no = 0;
 	    }
 	    else if ('0' <= *src && *src <= '9')
 	    if (c == K_SPECIAL && src[0] != NUL && src[1] != NUL)
 	    {
 		// Copy a special key as-is.
 		if (copy)
 		{
+		    if (dst + 3 > dest + destlen)
+		    {
+			iemsg("vim_regsub_both(): not enough space");
+			return 0;
+		    }
 		    *dst++ = c;
 		    *dst++ = *src++;
 		    *dst++ = *src++;
 		}
 		else
 		 // case 'e':   c = ESC;	++src;	break;
 		    case 'b':	c = Ctrl_H;	++src;	break;
 		    // If "backslash" is TRUE the backslash will be removed
 		    // later.  Used to insert a literal CR.
-		    default:	if (backslash)
+		    default:	if (flags & REGSUB_BACKSLASH)
 				{
 				    if (copy)
+				    {
+					if (dst + 1 > dest + destlen)
+					{
+					    iemsg("vim_regsub_both(): not enough space");
+					    return 0;
+					}
 					*dst = '\\';
+				    }
 				    ++dst;
 				}
 				c = *src++;
 		}
 	    }
 		cc = c;
 	    if (has_mbyte)
 	    {
 		int totlen = mb_ptr2len(src - 1);
+		int charlen = mb_char2len(cc);
 		if (copy)
+		{
+		    if (dst + charlen > dest + destlen)
+		    {
+			iemsg("vim_regsub_both(): not enough space");
+			return 0;
+		    }
 		    mb_char2bytes(cc, dst);
-		dst += mb_char2len(cc) - 1;
+		}
+		dst += charlen - 1;
 		if (enc_utf8)
 		{
 		    int clen = utf_ptr2len(src - 1);
 		    // If the character length is shorter than "totlen", there
 		    // are composing characters; copy them as-is.
 		    if (clen < totlen)
 		    {
 			if (copy)
+			{
+			    if (dst + totlen - clen > dest + destlen)
+			    {
+				iemsg("vim_regsub_both(): not enough space");
+				return 0;
+			    }
 			    mch_memmove(dst + 1, src - 1 + clen,
 						     (size_t)(totlen - clen));
+			}
 			dst += totlen - clen;
 		    }
 		}
 		src += totlen - 1;
 	    }
 	    else if (copy)
-		    *dst = cc;
+	    {
+		if (dst + 1 > dest + destlen)
+		{
+		    iemsg("vim_regsub_both(): not enough space");
+		    return 0;
+		}
+		*dst = cc;
+	    }
 	    dst++;
 	}
 	else
 	{
 	    if (REG_MULTI)
 			if (REG_MULTI)
 			{
 			    if (rex.reg_mmatch->endpos[no].lnum == clnum)
 				break;
 			    if (copy)
+			    {
+				if (dst + 1 > dest + destlen)
+				{
+				    iemsg("vim_regsub_both(): not enough space");
+				    return 0;
+				}
 				*dst = CAR;
+			    }
 			    ++dst;
 			    s = reg_getline(++clnum);
 			    if (rex.reg_mmatch->endpos[no].lnum == clnum)
 				len = rex.reg_mmatch->endpos[no].col;
 			    else
 			    iemsg(_(e_damaged_match_string));
 			goto exit;
 		    }
 		    else
 		    {
-			if (backslash && (*s == CAR || *s == '\\'))
+			if ((flags & REGSUB_BACKSLASH)
+						  && (*s == CAR || *s == '\\'))
 			{
 			    /*
 			     * Insert a backslash in front of a CR, otherwise
 			     * it will be replaced by a line break.
 			     * Number of backslashes will be halved later,
 			     * double them here.
 			     */
 			    if (copy)
 			    {
+				if (dst + 2 > dest + destlen)
+				{
+				    iemsg("vim_regsub_both(): not enough space");
+				    return 0;
+				}
 				dst[0] = '\\';
 				dst[1] = *s;
 			    }
 			    dst += 2;
 			}
 				cc = c;
 			    if (has_mbyte)
 			    {
 				int l;
+				int charlen;
 				// Copy composing characters separately, one
 				// at a time.
 				if (enc_utf8)
 				    l = utf_ptr2len(s) - 1;
 				else
 				    l = mb_ptr2len(s) - 1;
 				s += l;
 				len -= l;
+				charlen = mb_char2len(cc);
 				if (copy)
+				{
+				    if (dst + charlen > dest + destlen)
+				    {
+					iemsg("vim_regsub_both(): not enough space");
+					return 0;
+				    }
 				    mb_char2bytes(cc, dst);
-				dst += mb_char2len(cc) - 1;
+				}
+				dst += charlen - 1;
 			    }
 			    else if (copy)
-				    *dst = cc;
+			    {
+				if (dst + 1 > dest + destlen)
+				{
+				    iemsg("vim_regsub_both(): not enough space");
+				    return 0;
+				}
+				*dst = cc;
+			    }
 			    dst++;
 			}
 			++s;
 			--len;
 }
 #endif
 /*
 * Match a regexp against a string.
-* "rmp->regprog" is a compiled regexp as returned by vim_regcomp().
+* "rmp->regprog" must be a compiled regexp as returned by vim_regcomp().
 * Note: "rmp->regprog" may be freed and changed.
 * Uses curbuf for line count and 'iskeyword'.
 * When "nl" is TRUE consider a "\n" in "line" to be a line break.
 *
 * Return TRUE if there is a match, FALSE if not.

Mercurial > vim

comparison src/regexp.c @ 29048:c98fc7a4dde4 v8.2.5046