Mercurial > vim
comparison src/mbyte.c @ 3812:f86619764a1e v7.3.664
updated for version 7.3.664
Problem: Buffer overflow in unescaping text. (Raymond Ko)
Solution: Limit check for multi-byte character to 4 bytes.
| author | Bram Moolenaar <bram@vim.org> |
|---|---|
| date | Tue, 18 Sep 2012 18:03:37 +0200 |
| parents | a8897fd5d074 |
| children | be1cffa1e477 |
comparison
equal
deleted
inserted
replaced
| 3811:996f1a928627 | 3812:f86619764a1e |
|---|---|
| 3791 */ | 3791 */ |
| 3792 char_u * | 3792 char_u * |
| 3793 mb_unescape(pp) | 3793 mb_unescape(pp) |
| 3794 char_u **pp; | 3794 char_u **pp; |
| 3795 { | 3795 { |
| 3796 static char_u buf[MB_MAXBYTES + 1]; | 3796 static char_u buf[6]; |
| 3797 int n, m = 0; | 3797 int n; |
| 3798 int m = 0; | |
| 3798 char_u *str = *pp; | 3799 char_u *str = *pp; |
| 3799 | 3800 |
| 3800 /* Must translate K_SPECIAL KS_SPECIAL KE_FILLER to K_SPECIAL and CSI | 3801 /* Must translate K_SPECIAL KS_SPECIAL KE_FILLER to K_SPECIAL and CSI |
| 3801 * KS_EXTRA KE_CSI to CSI. */ | 3802 * KS_EXTRA KE_CSI to CSI. |
| 3802 for (n = 0; str[n] != NUL && m <= MB_MAXBYTES; ++n) | 3803 * Maximum length of a utf-8 character is 4 bytes. */ |
| 3804 for (n = 0; str[n] != NUL && m < 4; ++n) | |
| 3803 { | 3805 { |
| 3804 if (str[n] == K_SPECIAL | 3806 if (str[n] == K_SPECIAL |
| 3805 && str[n + 1] == KS_SPECIAL | 3807 && str[n + 1] == KS_SPECIAL |
| 3806 && str[n + 2] == KE_FILLER) | 3808 && str[n + 2] == KE_FILLER) |
| 3807 { | 3809 { |
| 3834 if ((*mb_ptr2len)(buf) > 1) | 3836 if ((*mb_ptr2len)(buf) > 1) |
| 3835 { | 3837 { |
| 3836 *pp = str + n + 1; | 3838 *pp = str + n + 1; |
| 3837 return buf; | 3839 return buf; |
| 3838 } | 3840 } |
| 3841 | |
| 3842 /* Bail out quickly for ASCII. */ | |
| 3843 if (buf[0] < 128) | |
| 3844 break; | |
| 3839 } | 3845 } |
| 3840 return NULL; | 3846 return NULL; |
| 3841 } | 3847 } |
| 3842 | 3848 |
| 3843 /* | 3849 /* |